Skip to content

Command injection in `withpasswd()` function in Registrator.jl

Critical
aviks published GHSA-589r-g8hf-xx59 Jun 24, 2025

Package

Registrator.jl (Julia)

Affected versions

<=1.9.4

Patched versions

1.9.5

Description

Impact

If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), a shell script injection can occur within the withpasswd() function. This can then lead to a potential RCE.

Patches

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

Workarounds

None

References

Fixed by: #448 (which is available in v1.9.5).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.

Severity

Critical

CVE ID

CVE-2025-52483

Weaknesses

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.