Vulnerability Description
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://github.com/github/advisory-database/pull/5912#issuecomment-3169255309
- https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa
- https://github.com/rails/thor/pull/897
- https://github.com/rails/thor/releases/tag/v1.4.0
- https://hackerone.com/reports/3260153
FAQ
What is CVE-2025-54314?
CVE-2025-54314 is a vulnerability with a CVSS score of 2.8 (LOW). Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlle...
How severe is CVE-2025-54314?
CVE-2025-54314 has been rated LOW with a CVSS base score of 2.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54314?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.