JLSEC-2025-2

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-2.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-2.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-2

Aliases

CVE-2025-52483
GHSA-589r-g8hf-xx59

Published

2025-10-08T17:41:37.190Z

Modified

2025-11-06T22:57:30.939831Z

Summary

Command injection in `withpasswd()` function in Registrator.jl

Details

Impact

If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), a shell script injection can occur within the withpasswd() function. This can then lead to a potential RCE.

Patches

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

Workarounds

None

References

Fixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/448 (which is available in v1.9.5).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-06-24T23:01:34Z",
            "url": "https://api.github.com/repos/JuliaRegistries/Registrator.jl/security-advisories/GHSA-589r-g8hf-xx59",
            "modified": "2025-06-24T23:01:34Z",
            "html_url": "https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-589r-g8hf-xx59",
            "id": "GHSA-589r-g8hf-xx59",
            "imported": "2025-10-07T02:26:14.285Z"
        }
    ]
}

References

Affected packages

Julia / Registrator

Package

Name: Registrator
Purl: pkg:julia/Registrator?uuid=4418983a-e44d-11e8-3aec-9789530b3b3e

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.5

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-2.json"