If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the gettreesha() function. This can then lead to a potential RCE.

Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.

None

Fixed by: https://github.com/JuliaRegistries/Registrator.jl/pull/449 (which is available in v1.9.5).

Thanks to splitline from the DEVCORE Research Team for reporting this issue.