Thor can construct an unsafe shell command from library input.
Published: July 20, 2025
SECURITY IDENTIFIERS
- CVE: CVE-2025-54314 (NVD)
- GHSA: GHSA-mqcp-p2hv-vw6x
GEM
SEVERITY
CVSS v3.x: 2.8 (Low)
PATCHED VERSIONS
>= 1.4.0
DESCRIPTION
Thor before 1.4.0 can construct an unsafe shell command from library input.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2025-54314
- https://github.com/rails/thor/releases/tag/v1.4.0
- https://github.com/rails/thor/pull/897
- https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
- https://hackerone.com/reports/3260153
- https://github.com/advisories/GHSA-mqcp-p2hv-vw6x