CVE-2025-54314

EUVD-2025-21984
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.8 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-thor
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
ignored
resolute
needs-triage
trusty
needs-triage
xenial
ignored
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby3.2
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-bundled-gems
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-bundled-gems-debuginfo
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-debuginfo
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-debugsource
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-default-gems
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-devel
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-doc
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-libs
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-libs-debuginfo
Amazon Linux 2023
0:3.2.8-184.amzn2023.0.4
fixed
ruby3.2-rubygem-bigdecimal
Amazon Linux 2023
0:3.1.3-184.amzn2023.0.4
fixed
ruby3.2-rubygem-bigdecimal-debuginfo
Amazon Linux 2023
0:3.1.3-184.amzn2023.0.4
fixed
ruby3.2-rubygem-bundler
Amazon Linux 2023
0:2.4.19-184.amzn2023.0.4
fixed
ruby3.2-rubygem-io-console
Amazon Linux 2023
0:0.6.0-184.amzn2023.0.4
fixed
ruby3.2-rubygem-io-console-debuginfo
Amazon Linux 2023
0:0.6.0-184.amzn2023.0.4
fixed
ruby3.2-rubygem-irb
Amazon Linux 2023
0:1.6.2-184.amzn2023.0.4
fixed
ruby3.2-rubygem-json
Amazon Linux 2023
0:2.6.3-184.amzn2023.0.4
fixed
ruby3.2-rubygem-json-debuginfo
Amazon Linux 2023
0:2.6.3-184.amzn2023.0.4
fixed
ruby3.2-rubygem-minitest
Amazon Linux 2023
0:5.25.1-184.amzn2023.0.4
fixed
ruby3.2-rubygem-power_assert
Amazon Linux 2023
0:2.0.3-184.amzn2023.0.4
fixed
ruby3.2-rubygem-psych
Amazon Linux 2023
0:5.0.1-184.amzn2023.0.4
fixed
ruby3.2-rubygem-psych-debuginfo
Amazon Linux 2023
0:5.0.1-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rake
Amazon Linux 2023
0:13.0.6-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rbs
Amazon Linux 2023
0:2.8.2-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rbs-debuginfo
Amazon Linux 2023
0:2.8.2-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rdoc
Amazon Linux 2023
0:6.5.1.1-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rexml
Amazon Linux 2023
0:3.3.9-184.amzn2023.0.4
fixed
ruby3.2-rubygem-rss
Amazon Linux 2023
0:0.3.1-184.amzn2023.0.4
fixed
ruby3.2-rubygem-test-unit
Amazon Linux 2023
0:3.5.7-184.amzn2023.0.4
fixed
ruby3.2-rubygem-typeprof
Amazon Linux 2023
0:0.21.3-184.amzn2023.0.4
fixed
ruby3.2-rubygems
Amazon Linux 2023
0:3.4.19-184.amzn2023.0.4
fixed
ruby3.2-rubygems-devel
Amazon Linux 2023
0:3.4.19-184.amzn2023.0.4
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
rubygem-thor
CBL-Mariner 2.0
0:1.2.1-3.cm2
fixed