Publish Advisories

GHSA-g3pv-pj5f-3hfq
GHSA-vx24-x4mv-vwr5
GHSA-2jjv-qf24-vfm4
GHSA-5hhx-v7f6-x7gv

Author: advisory-database[bot]

advisories/github-reviewed/2023/01/GHSA-g3pv-pj5f-3hfq/GHSA-g3pv-pj5f-3hfq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g3pv-pj5f-3hfq",
-  "modified": "2024-09-24T20:40:46Z",
+  "modified": "2025-12-22T16:31:05Z",
   "published": "2023-01-18T00:30:18Z",
   "aliases": [
     "CVE-2021-32837"
@@ -68,6 +68,10 @@
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html"
+    },
     {
       "type": "ADVISORY",
       "url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize"

advisories/github-reviewed/2024/07/GHSA-vx24-x4mv-vwr5/GHSA-vx24-x4mv-vwr5.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vx24-x4mv-vwr5",
-  "modified": "2024-07-26T21:48:45Z",
+  "modified": "2025-12-22T16:31:41Z",
   "published": "2024-07-26T21:24:18Z",
   "aliases": [
     "CVE-2024-41815"
   ],
   "summary": "Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands",
-  "details": "## Description \nStarship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.\n\n### PoC\nHave some custom command which prints out information from a potentially untrusted/unverified source.\n```\n[custom.git_commit_name]\ncommand = 'git show -s --format=\"%<(25,mtrunc)%s\"'\nstyle = \"italic\"\nwhen = true\n```\n\n### Impact\nThis issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone. ",
+  "details": "## Description \nStarship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.\n\n### PoC\nHave some custom command which prints out information from a potentially untrusted/unverified source.\n```\n[custom.git_commit_name]\ncommand = 'git show -s --format=\"%<(25,mtrunc)%s\"'\nstyle = \"italic\"\nwhen = true\n```\n\n### Impact\nThis issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -58,6 +58,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/starship/starship/releases/tag/v1.20.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0446.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2025/09/GHSA-2jjv-qf24-vfm4/GHSA-2jjv-qf24-vfm4.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2jjv-qf24-vfm4",
-  "modified": "2025-12-20T05:24:04Z",
+  "modified": "2025-12-22T16:31:26Z",
   "published": "2025-09-24T18:57:44Z",
   "aliases": [
     "CVE-2025-59828"
   ],
   "summary": "Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions",
-  "details": "When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running `yarn --version`. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and `yarnPath` could be executed prior to the user accepting the risks of working in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to [https://hackerone.com/michel_](https://hackerone.com/michel_) for reporting this issue!",
+  "details": "When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running `yarn --version`. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and `yarnPath` could be executed prior to the user accepting the risks of working in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/11/GHSA-5hhx-v7f6-x7gv/GHSA-5hhx-v7f6-x7gv.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5hhx-v7f6-x7gv",
-  "modified": "2025-11-27T08:58:51Z",
+  "modified": "2025-12-22T16:31:15Z",
   "published": "2025-11-19T20:33:10Z",
   "aliases": [
     "CVE-2025-65099"
   ],
   "summary": "Claude Code vulnerable to command execution prior to startup trust dialog",
-  "details": "When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory running Yarn 3.0 or above. \n\nUsers on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!",
+  "details": "When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!",
   "severity": [
     {
       "type": "CVSS_V4",