GHSA-2c47-m757-32g6

Source

https://github.com/advisories/GHSA-2c47-m757-32g6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2c47-m757-32g6/GHSA-2c47-m757-32g6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2c47-m757-32g6

Aliases

Published

2025-05-21T18:32:37Z

Modified

2025-05-27T19:26:20.546533Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Insufficient input sanitization in ejson2env

Details

Summary

The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.

Details

The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.

Impact

An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.

Mitigation

Update to a version of ejson2env that sanitizes the output during decryption or
Do not use ejson2env to decrypt untrusted user secrets or
Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.

Credit

Thanks to security researcher Demonia for reporting this issue.

Database specific

{
    "nvd_published_at": "2025-05-21T18:15:53Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-21T18:32:37Z"
}

References

Affected packages

Go / github.com/Shopify/ejson2env/v2

Package

Name: github.com/Shopify/ejson2env/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/Shopify/ejson2env/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.8

RubyGems / ejson2env

Package

Name: ejson2env
Purl: pkg:gem/ejson2env

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.8

Affected versions

1.*

1.0.0

1.0.2

1.0.3

1.0.4

1.1.0

2.*

2.0.0

2.0.1

2.0.5

Go / github.com/Shopify/ejson2env

Package

Name: github.com/Shopify/ejson2env; View open source insights on deps.dev
Purl: pkg:golang/github.com/Shopify/ejson2env

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

{
    "last_known_affected_version_range": "< 2.0.8"
}