CVE-2025-54314: Withdrawn Advisory: Thor can construct an unsafe shell command from library input.
(updated )
Withdrawn Advisory
This advisory has been withdrawn because the method described can only be used with arguments that are controlled by Thor, and an external attacker cannot access the functionality described in the body of the CVE. This link is maintained to preserve external references.
Original Description
Thor before 1.4.0 can construct an unsafe shell command from library input.
References
- github.com/advisories/GHSA-mqcp-p2hv-vw6x
- github.com/github/advisory-database/pull/5912
- github.com/rails/thor
- github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
- github.com/rails/thor/pull/897
- github.com/rails/thor/releases/tag/v1.4.0
- github.com/rubysec/ruby-advisory-db/blob/master/gems/thor/CVE-2025-54314.yml
- hackerone.com/reports/3260153
- nvd.nist.gov/vuln/detail/CVE-2025-54314
Code Behaviors & Features
Detect and mitigate CVE-2025-54314 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →