Primary

Context

Registrator GitHub App Shell Script Injection Vulnerability in `withpasswd` Function Allowing Potential Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the Registrator GitHub app, specifically in versions prior to 1.9.5. The issue arises within the `withpasswd` function, where dynamic variables can be interpolated into a shell script. If the clone URL from GitHub is malicious or can be manipulated through upstream vulnerabilities, this could lead to shell script injection. Additionally, an argument injection vulnerability exists in the `gettreesha` function, which could also result in remote code execution.

Impact

Exploitation of this vulnerability allows for shell script injection, which can lead to remote code execution.

Remediation

Users are advised to upgrade to Registrator version 1.9.5, where this vulnerability has been patched.

Added: Jun 25, 2025, 5:36 PM

Updated: Jun 25, 2025, 5:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Registrator GitHub App Shell Script Injection Vulnerability in `withpasswd` Function Allowing Potential Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating