CVE-2025-54314

Severity CVSS v4.0:

Pending analysis

Type:

CWE-78 OS Command Injections

Publication date:

20/07/2025

Last modified:

10/08/2025

Description

Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 2.80 LOW
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x

2.80

Severity 3.x

LOW

References to Advisories, Solutions, and Tools

https://github.com/github/advisory-database/pull/5912#issuecomment-3169255309
https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
https://github.com/rails/thor/pull/897
https://github.com/rails/thor/releases/tag/v1.4.0
https://hackerone.com/reports/3260153