CVE-2025-61141
Published: 30 October 2025
Summary
CVE-2025-61141 is a high-severity Command Injection (CWE-77) vulnerability in Dw1 (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
sqls-server/sqls version 0.2.28 is affected by a command injection vulnerability in the config command. The openEditor function passes the EDITOR environment variable and the configuration file path directly to sh -c without sanitization, enabling arbitrary command execution and corresponding to CWE-77.
An unauthenticated remote attacker can trigger the flaw over the network without user interaction to achieve integrity impacts on the target system, consistent with the assigned CVSS 3.1 score of 7.5.
Public references containing further advisory and patch information are located at https://advisory.dw1.io/54/, https://github.com/sqls-server/sqls/, and https://lukmanern.github.io/CVE-2025-61141.html.
The associated EPSS score rose materially from a low baseline to a peak of 0.0201 on 2026-01-13 before receding to the current value of 0.0058.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37196
Vulnerability details
sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.