Trey-Crystalpeak

**Name of the Vulnerable Software and Affected Versions** Liquid Prompt (affected versions not specified) **Description** Liquid Prompt, an adaptive prompt for Bash and Zsh, contains a flaw where arbitrary command injection can lead to code execution. This occurs when a user enters a directory within a Git repository that has a specially crafted branch name. The issue requires the `LP ENABLE GITSTATUSD` configuration option to be enabled, `gitstatusd` to be installed and running before Liquid Prompt is loaded, and shell prompt substitution to be active. A branch name containing shell syntax, such as `$(...)` or backtick expressions, in either the default or a checked-out branch will be evaluated by the shell when the prompt is rendered. The vulnerable code exists between commit `cf3441250bb5d8b45f6f8b389fcdf427a99ac28a` and prior to commit `a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c` on the master branch. **Recommendations** Set the `LP ENABLE GITSTATUSD` configuration option to 0.