Warning: Two high-rated injection vulnerabilities in Registrator.jl can lead to remote code execution. Patch immediately!

Image
Decorative image
Gepubliceerd : 01/07/2025
  • Last update: 01/07/2025
  • Affected software:
    → Registrator.jl
  • Type: Remote code execution
  • CVE/CVSS
    → CVE-2025-52480: CVSS 8.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U)
    → CVE-2025-52483: CVSS 8.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U)

Sources

https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68
https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-589r-g8hf-xx59

Risks

JuliaRegistries published security advisories to address two injection vulnerabilities affecting Registrator.jl which can be exploited to perform remote code execution.

Registrator is a GitHub app that automates the creation of registration pull requests for Julia packages to the General registry. GitHub is regularly used by threat actors to host malicious packages as part of their attack flow. Open-source repositories have been targeted in the past.

A threat actor could exploit the vulnerabilities in Registrator to inject a script or a malicious clone URL to achieve remote code execution.

JuliaRegistries is not aware of active exploitation (cut-off date: 30 June 2025).

Exploitation of either vulnerability can have a high impact on confidentiality, integrity and availability.

Description

CVE-2025-52480 is an argument injection vulnerability affecting the gettreesha() function of the Registrator app.
If the clone URL returned by GitHub is malicious, or if it can be injected using upstream vulnerabilities, a threat actor could leverage an argument injection to achieve remote code execution.

CVE-2025-52483 is a command injection vulnerability within the withpasswd() function of the Registrator app.
If the clone URL returned by GitHub is malicious, or if it can be injected using upstream vulnerabilities, a threat actor could inject a shell script to achieve remote code execution.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Please note that all versions prior to v1.9.5 are vulnerable and that there are no workarounds.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.