Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.
AnalysisAI
Remote code execution in Tophat mobile testing harness prior to 2.5.1 allows authenticated network attackers to execute arbitrary commands on a developer's macOS workstation via unsanitized URL query parameters passed directly to bash. The vulnerability affects any developer with Tophat installed, with commands executing under the user's permissions and no confirmation dialog for previously trusted build hosts. This was fixed in version 2.5.1.
Technical ContextAI
Tophat is a mobile application testing harness for macOS that processes custom URL schemes (tophat://) and localhost HTTP requests (http://localhost:29070). The vulnerability stems from insufficient input validation on the 'arguments' query parameter, which flows unsanitized through URL parsing directly into a /bin/bash -c command execution context. This represents a classic command injection vulnerability (CWE-78) where attacker-controlled input is concatenated into shell command strings without proper escaping or sanitization. The localhost listener on port 29070 creates a local attack surface accessible to any process on the macOS system, while the custom URL scheme handler allows cross-application invocation. The lack of confirmation dialogs for previously trusted build hosts eliminates a potential user-interaction barrier that might otherwise mitigate exploitation.
RemediationAI
Vendor-released patch: Tophat 2.5.1. Developers must immediately upgrade from any version prior to 2.5.1 to the patched release. The patch addresses the unsanitized URL argument parsing by implementing proper input validation and escaping before passing arguments to shell execution. No workarounds are documented or recommended as a substitute for upgrading. Verify the upgrade by checking the installed version via Tophat's version command or system package manager, and restart any dependent build processes. For additional context and technical details, consult the GitHub security advisory at https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 and the upstream fix at https://github.com/Shopify/tophat/pull/139.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20613