JLSEC-2025-4

Argument injection in `gettreesha()` function in Registrator.jl

JLSEC Published: Oct 8, 2025
Modified: Oct 31, 2025
Affected Packages: Registrator < 1.9.5
Aliases / Upstream: GHSA-w8jv-rg3h-fc68 CVE-2025-52480

Impact

If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the gettreesha() function. This can then lead to a potential RCE.

Patches

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

Workarounds

None

References

Fixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/449 (which is available in v1.9.5).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.