How to fix EUVD-2025-19118?

Within 24 hours: Identify all systems running Registrator and audit recent pull request activity for suspicious behavior. Within 7 days: Upgrade all Registrator instances to version 1.9.5 and validate successful deployment. Within 30 days: Conduct forensic review of logs for exploitation attempts and assess whether any package registrations were compromised during vulnerable periods.

Is Command Injection affected by EUVD-2025-19118?

A critical vulnerability in Registrator (GitHub app for Julia package registry automation) allows remote code execution if malicious clone URLs are processed. Organizations using this tool are at immediate risk of system compromise through supply chain attack vectors.

EUVD-2025-19118

| CVE-2025-52483 CRITICAL

2025-06-25 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19118

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

Patch Released

Mar 15, 2026 - 23:19 nvd

Patch available

CVE Published

Jun 25, 2025 - 17:15 nvd

CRITICAL 9.8

Description

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities) a shell script injection can occur within the `withpasswd` function. Alternatively, an argument injection is possible in the `gettreesha `function. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. All prior versions are vulnerable. No known workarounds are available.

Analysis

Registrator, a GitHub app automating Julia package registration, contains critical shell injection and argument injection vulnerabilities in versions prior to 1.9.5 that can be exploited through malicious or injected clone URLs returned by GitHub. An unauthenticated remote attacker can achieve arbitrary code execution on systems running vulnerable versions with no user interaction required. No public exploits are confirmed, but the vulnerability is trivial to exploit given the direct code paths involved.

Technical Context

Registrator is a GitHub automation application written in Julia that processes package registration workflows. The vulnerability exists in two distinct code paths: (1) the `withpasswd` function which appears to construct shell commands using unsanitized clone URLs returned by the GitHub API, and (2) the `gettreesha` function which is vulnerable to command argument injection. Both vulnerabilities fall under CWE-77 (Improper Neutralization of Special Elements used in a Command), a class covering shell metacharacter injection and argument injection attacks. The root cause is the lack of proper input validation and sanitization when constructing system commands from external data (GitHub API responses). The attack surface is the GitHub API integration layer, where clone URLs are processed without escaping shell-dangerous characters or using safe command execution APIs.

Affected Products

Registrator (All versions prior to 1.9.5)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

EUVD-2025-19118 vulnerability details – vuln.today

Back

EUVD-2025-19118

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-19118

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code