{"id":"JLSEC-2025-4","summary":"Argument injection in `gettreesha()` function in Registrator.jl","details":"### Impact\n\nIf the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the `gettreesha()` function. This can then lead to a potential RCE.\n\n### Patches\n\nUsers should upgrade immediately to v1.9.5. All prior versions are vulnerable.\n\n### Workarounds\n\nNone\n\n### References\n\nFixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/449 (which is available in v1.9.5).\n\n### Credits\n\nThanks to *splitline* from the DEVCORE Research Team for reporting this issue.","aliases":["CVE-2025-52480","GHSA-w8jv-rg3h-fc68"],"modified":"2025-11-06T22:57:14.744879Z","published":"2025-10-08T17:41:37.190Z","database_specific":{"license":"CC-BY-4.0","sources":[{"id":"GHSA-w8jv-rg3h-fc68","published":"2025-06-24T23:01:40Z","url":"https://api.github.com/repos/JuliaRegistries/Registrator.jl/security-advisories/GHSA-w8jv-rg3h-fc68","modified":"2025-06-24T23:01:40Z","html_url":"https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68","imported":"2025-10-07T14:22:31.190Z"}]},"affected":[{"package":{"name":"Registrator","ecosystem":"Julia","purl":"pkg:julia/Registrator?uuid=4418983a-e44d-11e8-3aec-9789530b3b3e"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.5"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-4.json"}}],"schema_version":"1.7.3"}