GHSA-mqcp-p2hv-vw6x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mqcp-p2hv-vw6x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-mqcp-p2hv-vw6x/GHSA-mqcp-p2hv-vw6x.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mqcp-p2hv-vw6x
- Aliases
- Related
- Published
- 2025-07-20T03:30:19Z
- Modified
- 2025-07-22T22:03:26.747009Z
- Severity
-
- 2.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
- Summary
- Thor can construct an unsafe shell command from library input.
- Details
-
Thor before 1.4.0 can construct an unsafe shell command from library input.
- Database specific
{ "github_reviewed": true, "severity": "LOW", "github_reviewed_at": "2025-07-21T19:33:25Z", "cwe_ids": [ "CWE-78" ], "nvd_published_at": "2025-07-20T03:15:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-54314
- https://github.com/rails/thor/pull/897
- https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
- https://hackerone.com/reports/3260153
- https://github.com/rails/thor
- https://github.com/rails/thor/releases/tag/v1.4.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/thor/CVE-2025-54314.yml
Affected packages
RubyGems / thor
Package
- Name
- thor
- Purl
- pkg:gem/thor
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.4.0
Affected versions
0.*
0.9.2
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.11.5
0.11.6
0.11.7
0.11.8
0.12.0
0.12.2
0.12.3
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.16.0
0.17.0
0.18.0
0.18.1
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.20.0
0.20.1
0.20.2
0.20.3
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2