Command injection in gh-ost
Description
gh-ost versions before 1.1.3 allow arbitrary file read via unsanitized -database parameter that enables DSN injection; fixed in 1.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
gh-ost versions before 1.1.3 allow arbitrary file read via unsanitized `-database` parameter that enables DSN injection; fixed in 1.1.3.
## Vulnerability gh-ost versions prior to 1.1.3 are vulnerable to arbitrary file read due to improper input validation of the -database parameter [1]. The parameter accepts user-supplied DSN strings, which can be manipulated to read arbitrary files on the target host.
Exploitation
An attacker must have access to the target host or trick an administrator into running a malicious gh-ost command. The host running gh-ost must have network access to the attacker-controlled MySQL server [1]. By providing a crafted -database parameter, the attacker can inject a DSN that triggers a file read operation from the host [4].
Impact
Successful exploitation allows an attacker to read arbitrary local files from the host running gh-ost [4]. This can lead to disclosure of sensitive information such as configuration files, credentials, or other data.
Mitigation
The vulnerability is fixed in gh-ost version 1.1.3, released February 2022 [4]. The fix applies URL encoding to the database name to prevent injection [3]. No workarounds are available; users should upgrade to 1.1.3 or later [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/github/gh-ostGo | < 1.1.3 | 1.1.3 |
Affected products
1Patches
1a91ab042de01Security: fix vulnerability where `-database` parameter accepts arbitrary DSN strings
2 files changed · +7 −1
build.sh+1 −1 modified@@ -18,7 +18,7 @@ function build { GOOS=$3 GOARCH=$4 - if ! go version | egrep -q 'go(1\.1[56])' ; then + if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then echo "go version must be 1.15 or above" exit 1 fi
go/cmd/gh-ost/main.go+6 −0 modified@@ -8,6 +8,7 @@ package main import ( "flag" "fmt" + "net/url" "os" "os/signal" "syscall" @@ -188,6 +189,11 @@ func main() { log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name") } } + + if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil { + migrationContext.Log.Fatale(err) + } + if migrationContext.OriginalTableName == "" { if parser.HasExplicitTable() { migrationContext.OriginalTableName = parser.GetExplicitTable()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-rrp4-2xx3-mv29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21687ghsaADVISORY
- github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8fghsax_refsource_MISCWEB
- github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.