Shell Script Injection and Argument Injection in Registrator by Julia Registries
CVE-2025-52483
8.1HIGH
What is CVE-2025-52483?
Registrator, a GitHub application used for automating registration pull requests for Julia packages, has a significant injection vulnerability present in versions prior to 1.9.5. This vulnerability arises when a malicious clone URL is returned by GitHub, which can lead to shell script injection within the withpasswd function. Additionally, an argument injection vulnerability exists in the gettreesha function, both of which can potentially grant attackers remote code execution (RCE) capabilities. Users are strongly advised to upgrade to version 1.9.5 or later, as earlier versions are vulnerable and no known workarounds are available for this issue. For more technical details, refer to the relevant GitHub advisory.
Affected Version(s)
Registrator.jl < 1.9.5