CVE-2025-61141

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions sqls-server/sqls version 0.2.28

Description sqls-server/sqls version 0.2.28 contains a command injection issue in the config command. The openEditor function passes the EDITOR environment variable and the config file path to sh -c without proper sanitization, potentially allowing attackers to execute arbitrary commands. The vulnerable component is the openEditor function. The EDITOR environment variable and the config file path are passed as arguments to the sh -c command.

Recommendations Update to a newer version of sqls-server/sqls that addresses this issue. As a temporary workaround, consider restricting or disabling the use of the config command until a patch is available.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2025-61141

GHSA-F9F4-5859-29MF

GO-2025-4088

OPENSUSE-SU-2025:15710-1

Affected Products

Sqls-Server/Sqls

CVE-2025-61141

Weakness Enumeration

Related Identifiers

Affected Products

References · 88