CVE-2025-52480
Published: 25 June 2025
Summary
CVE-2025-52480 is a high-severity Argument Injection (CWE-88) vulnerability in Julialang Registrator. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Registrator is a GitHub app that automates creation of registration pull requests for Julia packages to the General registry. Prior to version 1.9.5, the gettreesha() function is vulnerable to argument injection when a malicious or attacker-controlled clone URL is returned by GitHub, including via upstream injection. The issue is tracked as CWE-88 and carries a CVSS 4.0 score of 8.1 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit the flaw by causing Registrator to process a crafted clone URL, resulting in arbitrary command execution on the host running the application. The attack does not require user interaction or credentials and can be triggered through normal GitHub interactions that feed data into the vulnerable function.
The GitHub security advisory GHSA-w8jv-rg3h-fc68 and associated pull request direct users to upgrade immediately to version 1.9.5 for the fix; all earlier releases are vulnerable and no workarounds are documented.
EPSS remains low and unchanged at 0.0205 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19119
Vulnerability details
Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an…
more
argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.