CVE-2025-52480CRITICAL 9.8EPSS p43.5%

CVE-2025-52480CVE-2025-52480

Description

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.59% probability of exploitation · percentile 43.5% · 2026-06-18T12:00:27Z
Published2025-06-25
Last modified2025-09-19

Underlying weaknesses· 1

CWE-88

References

  1. https://github.com/JuliaRegistries/Registrator.jl/pull/449
  2. https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-52483
CVE
CVE-2025-22204
CVE
CVE-2025-54416
CVE
CVE-2025-58371
CVE
CVE-2025-11148
CVE
CVE-2025-10894
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.