Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
On Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands.
Details
- Resolvers.scala L84-95 - git resolver passes
uri.getFragment()torun()without sanitization - Resolvers.scala L137-145 -
run()usesProcess("cmd", "/c", ...)on Windows, socmdinterprets&&as command separator
PoC
# build.properties
# sbt.version=1.12.5
# Tested on those two versions of sbt
sbt.version=2.0.0-RC9// build.sbt
ThisBuild / scalaVersion := "2.12.19"
lazy val root = project
.in(file("."))
.dependsOn(vulnerable)
lazy val vulnerable = RootProject(
uri("https://github.com/sbt/io.git#develop%26%26calc.exe")
)Impact
Windows users are impacted. An attacker can execute arbitrary Windows commands if they control the dependency URI.
AnalysisAI
sbt on Windows is vulnerable to command injection through unvalidated URI fragments in VCS dependency declarations. When resolving git, mercurial, or subversion repositories, sbt passes user-controlled branch, tag, or revision parameters directly to cmd.exe without sanitization, allowing attackers to inject arbitrary Windows commands via special characters like &, |, and ; that cmd /c interprets as command separators. An attacker who controls a dependency URI in a project's build.sbt file can execute arbitrary commands with the privileges of the user running sbt. A proof-of-concept exists demonstrating execution of calc.exe, and patches are available from the vendor for sbt versions 1.12.7 and later.
Technical ContextAI
The vulnerability exists in sbt (Scala Build Tool), identified by CPE pkg:maven/org.scala-sbt:sbt, specifically in the Resolvers.scala module which handles dependency resolution from version control systems. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection). The vulnerable code path passes uri.getFragment() directly to a Process constructor that uses Process("cmd", "/c", ...) on Windows systems. The cmd.exe shell interprets several metacharacters—specifically ampersand (&), pipe (|), and semicolon (;)—as command separators and operators, enabling command chaining. Unlike Unix shells where argument quoting provides some protection, cmd /c does not properly isolate the URI fragment parameter from the shell metacharacter interpretation layer. This affects sbt versions prior to 1.12.7 and 2.0.0-RC9 and later, as confirmed in testing by the reporter.
RemediationAI
Immediately upgrade sbt to version 1.12.7 or later for the 1.x branch, or to 2.0.0-RC9 or later for the 2.x branch. Apply the patches referenced in commits 1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e and 3a474ab060df4dbfa825a7e7bc97e00056519800 if building from source. As an interim workaround for organizations unable to immediately patch, audit all build.sbt files and build.properties configurations to ensure dependency URIs come only from trusted internal repositories and do not contain user-controllable fragment identifiers. Restrict developer machines to execute sbt only within sandboxed environments or CI/CD systems where command execution can be monitored and logged. Additionally, configure development machines to reject or warn on build definitions that reference external VCS repositories with fragments or complex URIs. Consult the vendor advisory at https://github.com/sbt/sbt/releases/tag/v1.12.7 for detailed upgrade instructions.
Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX
Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by
The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co
Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in
A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr
Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR
Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b
An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit
Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14990
GHSA-x4ff-q6h8-v7gw