EUVD-2025-19119CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available.
Analysis
Registrator, a GitHub app automating Julia package registrations, contains an argument injection vulnerability in the gettreesha() function that can be exploited via malicious clone URLs to achieve remote code execution. All versions prior to 1.9.5 are vulnerable; the vulnerability requires no user interaction or privileges and can be triggered remotely over the network. While no active exploitation or public POC has been confirmed in the provided data, the critical nature of RCE capability and the complete lack of workarounds make immediate patching essential for all Registrator deployments.
Technical Context
Registrator is a GitHub App that automates creation and management of pull requests for Julia package registration to the General registry. The vulnerability exists in the gettreesha() function, which processes clone URLs returned by GitHub's API. The root cause is CWE-88 (Argument Injection), where unsanitized input from an upstream source (GitHub clone URLs) is passed to a system command or shell execution context without proper escaping or validation. An attacker who can compromise the clone URL (either through GitHub account compromise, man-in-the-middle attack, or upstream GitHub API vulnerability) can inject arbitrary command-line arguments that alter the behavior of git operations or execute arbitrary code. The vulnerability chain involves: (1) GitHub returns a clone URL, (2) gettreesha() uses this URL without sanitization, (3) the URL is interpolated into a command that executes with the privileges of the Registrator service.
Affected Products
Registrator (GitHub App for Julia package registration): All versions prior to 1.9.5 are vulnerable. The specific affected version range is [0.0.0, 1.9.4]. Fixed version: 1.9.5. CPE data not explicitly provided in the source material, but the product can be identified as: CPE:/a:julialang:registrator or similar. Affected deployments include any GitHub App installation using Registrator for Julia General registry automation. The vulnerability affects the server-side Registrator application running on infrastructure that processes GitHub webhooks and executes git operations.
Remediation
Immediate action required: Upgrade Registrator to version 1.9.5 or later. This is the only available fix; no workarounds have been identified. Remediation steps: (1) Update the Registrator GitHub App deployment to v1.9.5 from the official repository, (2) Restart the Registrator service to apply the patch, (3) Review recent Registrator logs for suspicious activity or unexpected git commands, (4) If available, audit package registrations submitted during the vulnerability window for integrity. For users unable to immediately patch, consider temporarily disabling Registrator and using manual package registration processes. Access the official Registrator repository and releases page (https://github.com/JuliaRegistries/Registrator.jl) for patch downloads and release notes. The vulnerability advisory should include detailed information about the fix (proper input sanitization in gettreesha()).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today