Skip to main content

Python EUVDEUVD-2025-21004

| CVE-2025-27614 HIGH
OS Command Injection (CWE-78)
2025-07-10 security-advisories@github.com
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
6.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21004
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 15:15 nvd
HIGH 8.6

DescriptionGitHub Advisory

Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.

AnalysisAI

CVE-2025-27614 is a command injection vulnerability in Gitk (Git's Tcl/Tk history browser) affecting versions 2.41.0 through 2.50.0 that allows arbitrary script execution with user privileges through specially crafted repository filenames. An attacker can exploit this via social engineering by tricking a user into invoking 'gitk filename' where the filename is maliciously structured to execute attacker-supplied scripts (shell, Perl, Python, etc.). With a CVSS score of 8.6 and no privilege requirement, this poses significant real-world risk for developers who clone untrusted repositories.

Technical ContextAI

Gitk is a Tcl/Tk-based graphical Git repository history browser included with Git distributions. The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), where user-controlled input (filenames) is insufficiently sanitized before being passed to shell command execution contexts. The affected technology stack includes: Tcl/Tk scripting engine, Git CLI integration, and shell command invocation mechanisms. The root cause appears to be inadequate escaping or validation of filename arguments when constructing and executing system commands within Gitk's file handling logic. This affects Git package distributions across multiple platforms (Linux, macOS, Windows) where Gitk is bundled or installed alongside Git versions 2.41.0 and later.

RemediationAI

Immediate patching is required: Update to patched versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.0-final (or later). For Linux distributions: apply security updates via package managers (apt-get update && apt-get upgrade git on Debian/Ubuntu, yum update git on RHEL/CentOS, pacman -Syu git on Arch). For macOS: brew upgrade git. For Windows: download latest Git for Windows installer from https://git-scm.com/download/win. Workarounds (temporary, until patching): (1) Avoid invoking gitk on files with suspicious/unusual names from untrusted repositories, (2) Use alternative Git history browsers (e.g., git log, gitg, Magit, or web-based interfaces), (3) Inspect repository contents for suspicious filenames before invoking gitk, (4) Run Git operations in restricted environments (containers, VMs) when cloning untrusted repositories. Mitigation: Educate developers on risks of cloning untrusted repositories and verify repository sources before interaction.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

Ubuntu

Priority: Medium
git
Release Status Version
xenial not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble released 1:2.43.0-1ubuntu7.3
oracular released 1:2.45.2-1ubuntu1.2
plucky released 1:2.48.1-0ubuntu1.1
upstream released 2.43.7

Debian

Bug #1108983
git
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1:2.30.2-1+deb11u5 -
bookworm not-affected - -
bookworm (security) fixed 1:2.39.5-0+deb12u2 -
trixie fixed 1:2.47.3-0+deb13u1 -
forky fixed 1:2.51.0-1 -
sid fixed 1:2.53.0-1 -
(unstable) fixed 1:2.50.1-0.1 -

SUSE

Severity: High
Product Status
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2025-21004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy