FKIE_CVE-2025-69257

Vulnerability from fkie_nvd - Published: 2025-12-30 20:16 - Updated: 2026-04-15 00:35
Severity ?
6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user's environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges.
References
security-advisories@github.comhttps://github.com/AsfhtgkDavid/theshit/commit/8e0b565e7876a83b0e1cfbacb8af39dadfdcc500
security-advisories@github.comhttps://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-95qg-89c2-w5hj
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user\u0027s environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges."
    },
    {
      "lang": "es",
      "value": "theshit es una utilidad de l\u00ednea de comandos que detecta y corrige autom\u00e1ticamente errores comunes en los comandos de shell. Antes de la versi\u00f3n 0.1.1, la aplicaci\u00f3n carga reglas Python personalizadas y archivos de configuraci\u00f3n desde ubicaciones escribibles por el usuario (por ejemplo, \u0027~/.config/theshit/\u0027) sin validar la propiedad o los permisos cuando se ejecuta con privilegios elevados. Si la herramienta se invoca con \u0027sudo\u0027 o se ejecuta de otra manera con un UID efectivo de root, contin\u00faa confiando en los archivos de configuraci\u00f3n originados en el entorno del usuario sin privilegios. Esto permite a un atacante local inyectar c\u00f3digo Python arbitrario a trav\u00e9s de una regla o archivo de configuraci\u00f3n malicioso, que luego se ejecuta con privilegios de root. Cualquier sistema donde esta herramienta se ejecute con privilegios elevados se ve afectado. En entornos donde se permite que la herramienta se ejecute a trav\u00e9s de \u0027sudo\u0027 sin contrase\u00f1a (\u0027NOPASSWD\u0027), un usuario local sin privilegios puede escalar privilegios a root sin interacci\u00f3n adicional. El problema ha sido solucionado en la versi\u00f3n 0.1.1. El parche introduce estrictas comprobaciones de propiedad y permisos para todos los archivos de configuraci\u00f3n y reglas personalizadas. La aplicaci\u00f3n ahora exige que las reglas solo se carguen si son propiedad del usuario efectivo que ejecuta la herramienta. Cuando se ejecuta con privilegios elevados (\u0027EUID=0\u0027), la aplicaci\u00f3n se niega a cargar cualquier archivo que no sea propiedad de root o que sea escribible por usuarios que no sean root. Cuando se ejecuta como un usuario que no es root, de manera similar se niega a cargar reglas propiedad de otros usuarios. Esto previene la escalada de privilegios tanto vertical como horizontal mediante la ejecuci\u00f3n de c\u00f3digo no confiable. Si la actualizaci\u00f3n no es posible, los usuarios deben evitar ejecutar la aplicaci\u00f3n con \u0027sudo\u0027 o como usuario root. Como mitigaci\u00f3n temporal, aseg\u00farese de que los directorios que contienen reglas personalizadas y archivos de configuraci\u00f3n sean propiedad de root y no sean escribibles por usuarios que no sean root. Los administradores tambi\u00e9n pueden auditar las reglas personalizadas existentes antes de ejecutar la herramienta con privilegios elevados."
    }
  ],
  "id": "CVE-2025-69257",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-30T20:16:01.900",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AsfhtgkDavid/theshit/commit/8e0b565e7876a83b0e1cfbacb8af39dadfdcc500"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-95qg-89c2-w5hj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-829"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.