Cyber Resilience

CVE-2025-52480

High

Published: 25 June 2025

Published
25 June 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0205 84.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52480 is a high-severity Argument Injection (CWE-88) vulnerability in Julialang Registrator. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Registrator is a GitHub app that automates creation of registration pull requests for Julia packages to the General registry. Prior to version 1.9.5, the gettreesha() function is vulnerable to argument injection when a malicious or attacker-controlled clone URL is returned by GitHub, including via upstream injection. The issue is tracked as CWE-88 and carries a CVSS 4.0 score of 8.1 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the flaw by causing Registrator to process a crafted clone URL, resulting in arbitrary command execution on the host running the application. The attack does not require user interaction or credentials and can be triggered through normal GitHub interactions that feed data into the vulnerable function.

The GitHub security advisory GHSA-w8jv-rg3h-fc68 and associated pull request direct users to upgrade immediately to version 1.9.5 for the fix; all earlier releases are vulnerable and no workarounds are documented.

EPSS remains low and unchanged at 0.0205 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an…

more

argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

julialang
registrator
≤ 1.9.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References