GHSA-mqcp-p2hv-vw6x

Source

https://github.com/advisories/GHSA-mqcp-p2hv-vw6x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-mqcp-p2hv-vw6x/GHSA-mqcp-p2hv-vw6x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mqcp-p2hv-vw6x

Related

Withdrawn

2025-08-13T18:55:16Z

Published

2025-07-20T03:30:19Z

Modified

2025-08-13T19:28:24.382614Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Withdrawn Advisory: Thor can construct an unsafe shell command from library input.

Details

Withdrawn Advisory

This advisory has been withdrawn because the method described can only be used with arguments that are controlled by Thor, and an external attacker cannot access the functionality described in the body of the CVE. This link is maintained to preserve external references.

Original Description

Thor before 1.4.0 can construct an unsafe shell command from library input.

Database specific

{
    "severity": "HIGH",
    "github_reviewed_at": "2025-07-21T19:33:25Z",
    "nvd_published_at": "2025-07-20T03:15:22Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true
}

References

Affected packages

RubyGems / thor

Package

Name: thor
Purl: pkg:gem/thor

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0

Affected versions

0.*

0.9.2

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.11.5

0.11.6

0.11.7

0.11.8

0.12.0

0.12.2

0.12.3

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.13.7

0.13.8

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.15.0

0.15.1

0.15.2

0.15.3

0.15.4

0.16.0

0.17.0

0.18.0

0.18.1

0.19.0

0.19.1

0.19.2

0.19.3

0.19.4

0.20.0

0.20.1

0.20.2

0.20.3

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2