ADVISORIES

• CVE-2025-54314 (NVD)
• GHSA-mqcp-p2hv-vw6x

GEM

thor

SEVERITY

CVSS v3.x: 2.8 (Low)

PATCHED VERSIONS

• >= 1.4.0

DESCRIPTION

Thor before 1.4.0 can construct an unsafe shell command from library input.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2025-54314
• https://github.com/rails/thor/releases/tag/v1.4.0
• https://github.com/rails/thor/pull/897
• https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
• https://hackerone.com/reports/3260153
• https://github.com/advisories/GHSA-mqcp-p2hv-vw6x