Shell Command Construction Vulnerability in Thor by Rails
CVE-2025-54314

2.8LOW

Key Information:

Vendor: Rubyonrails
Status: Thor
Vendor: CVE Published:; 20 July 2025

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2025-54314?

The Thor library, used for creating command-line interfaces, contains a vulnerability that allows an attacker to construct unsafe shell commands by leveraging library input. This issue arises in versions prior to 1.4.0, posing a risk when untrusted data is processed. Users are strongly advised to upgrade to the latest version to mitigate this security risk and ensure safer command execution.

Affected Version(s)

Thor 0 < 1.4.0

References

https://github.com/rails/thor/commit/536b79036a0efb765c18...

https://hackerone.com/reports/3260153

https://github.com/rails/thor/pull/897

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 20, 2025
Vulnerability Reserved
Jul 20, 2025