JLSEC-2025-2

Command injection in `withpasswd()` function in Registrator.jl

JLSEC Published: Oct 8, 2025
Modified: Oct 31, 2025
Affected Packages: Registrator < 1.9.5
Aliases / Upstream: GHSA-589r-g8hf-xx59 CVE-2025-52483

Impact

If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), a shell script injection can occur within the withpasswd() function. This can then lead to a potential RCE.

Patches

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

Workarounds

None

References

Fixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/448 (which is available in v1.9.5).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.