CVE-2025-48069 – github.com/shopify/ejson2env

Package

Manager: go
Name: github.com/shopify/ejson2env
Vulnerable Version: >=0 <2.0.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00133 pctl0.33707

Details

Insufficient input sanitization in ejson2env ### Summary The `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system. ### Details The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands. ### Impact An attacker with control over `.ejson` files can inject commands in the environment where `source $(ejson2env)` or `eval ejson2env` are executed. ### Mitigation - Update to a version of `ejson2env` that sanitizes the output during decryption or - Do not use `ejson2env` to decrypt untrusted user secrets or - Do not evaluate or execute the direct output from `ejson2env` without removing nonprintable characters. ### Credit Thanks to security researcher [Demonia](https://hackerone.com/demonia?type=user) for reporting this issue.

Metadata

Created: 2025-05-21T18:32:37Z
Modified: 2025-05-27T19:00:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2c47-m757-32g6/GHSA-2c47-m757-32g6.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-2c47-m757-32g6
Finding: F004
Auto approve: 1