High severity7.5GHSA Advisory· Published Oct 30, 2025· Updated Apr 15, 2026
CVE-2025-61141
CVE-2025-61141
Description
sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.
Affected products
1- Range: = 0.2.28
Patches
1468a23fc89afMerge pull request #179 from mattn/do-not-use-shell
1 file changed · +1 −11
main.go+1 −11 modified@@ -8,8 +8,6 @@ import ( "log" "os" "os/exec" - "runtime" - "strings" "github.com/sourcegraph/jsonrpc2" "github.com/urfave/cli/v2" @@ -172,15 +170,7 @@ func (stdrwc) Close() error { } func openEditor(program string, args ...string) error { - cmdargs := strings.Join(args, " ") - command := program + " " + cmdargs - - var cmd *exec.Cmd - if runtime.GOOS == "windows" { - cmd = exec.Command("cmd", "/c", command) - } else { - cmd = exec.Command("sh", "-c", command) - } + cmd := exec.Command(program, args...) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-f9f4-5859-29mfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61141ghsaADVISORY
- advisory.dw1.io/54ghsaWEB
- github.com/sqls-server/sqls/commit/468a23fc89af89f632cc023a10c031e4bc781797ghsaWEB
- lukmanern.github.io/CVE-2025-61141.htmlnvdWEB
- pkg.go.dev/vuln/GO-2025-4088ghsaWEB
- advisory.dw1.io/54/nvd
News mentions
0No linked articles in our index yet.