CVE-2025-52480

CRITICAL

Julialang Registrator < 1.9.5 - Remote Code Execution

Title source: rule

Description

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available.

References (2)

[Issue Tracking, Patch, Vendor Advisory] https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68

[Issue Tracking, Patch] https://github.com/JuliaRegistries/Registrator.jl/pull/449

Scores

CVSS v3 9.8

EPSS 0.0205

EPSS Percentile 83.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-88

Status published

Products (1)

julialang/registrator < 1.9.5

Published Jun 25, 2025

Tracked Since Feb 18, 2026