CVE-2025-69257

Name of the Vulnerable Software and Affected Versions theshit versions prior to 0.1.1

Description theshit is a command-line utility designed to identify and correct common errors in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations, such as ~/.config/theshit/, without validating ownership or permissions when run with elevated privileges. If executed with sudo or as root, the tool trusts configuration files from the unprivileged user's environment. This allows a local attacker to inject arbitrary Python code through a malicious rule or configuration file, which is then executed with root privileges. Any system where the tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via sudo without a password, a local unprivileged user can escalate privileges to root without further interaction. The issue stems from insufficient validation of configuration file ownership and permissions. The application loads files without verifying that they are owned by the effective user executing the tool. When running with elevated privileges, it fails to enforce that rules are owned by root or are not writable by non-root users. This allows for the execution of untrusted code with root privileges.

Recommendations Versions prior to 0.1.1 should be updated to version 0.1.1. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Avoid executing the application with sudo or as the root user if upgrading is not possible.