Description
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Third Party Advisory x_refsource_confirm
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
Patch, Third Party Advisory x_refsource_misc
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
Scores
CVSS v3
8.3
EPSS
0.0179
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-74
CWE-20
Status
published
Products (1)
nim-lang/nim
< 1.2.10
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026