Anatoliykmetyuk

**Name of the Vulnerable Software and Affected Versions** sbt versions prior to 1.12.7 **Description** On Windows, sbt utilizes `Process("cmd", "/c", ...)` to execute VCS commands. The URI fragment, controlled by the user through the build definition, is passed to these commands without validation. The `cmd /c` interpreter treats characters like `&`, `|`, and `;` as command separators, allowing a malicious fragment to execute arbitrary commands. This occurs because the `uri.getFragment()` is passed to the `run()` function without sanitization, and `run()` then uses `Process("cmd", "/c", ...)` on Windows. A proof of concept demonstrates the execution of arbitrary commands by crafting a malicious dependency URI. **Recommendations** Update to sbt version 1.12.7 or later.