JLSEC-2025-4

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-4.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-4.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-4

Aliases

CVE-2025-52480
GHSA-w8jv-rg3h-fc68

Published

2025-10-08T17:41:37.190Z

Modified

2025-11-06T22:57:14.744879Z

Summary

Argument injection in `gettreesha()` function in Registrator.jl

Details

Impact

If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the gettreesha() function. This can then lead to a potential RCE.

Patches

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

Workarounds

None

References

Fixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/449 (which is available in v1.9.5).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-06-24T23:01:40Z",
            "url": "https://api.github.com/repos/JuliaRegistries/Registrator.jl/security-advisories/GHSA-w8jv-rg3h-fc68",
            "modified": "2025-06-24T23:01:40Z",
            "html_url": "https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68",
            "id": "GHSA-w8jv-rg3h-fc68",
            "imported": "2025-10-07T14:22:31.190Z"
        }
    ]
}

References

Affected packages

Julia / Registrator

Package

Name: Registrator
Purl: pkg:julia/Registrator?uuid=4418983a-e44d-11e8-3aec-9789530b3b3e

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.5

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-4.json"