7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41815

GHSA ID

GHSA-vx24-x4mv-vwr5

EPSS Score

0.2808%

CWE

CWE-77

Published

7/26/2024

Updated

9/19/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41815

CVE-2024-41815:
Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands

Description

Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.

PoC

Have some custom command which prints out information from a potentially untrusted/unverified source.

[custom.git_commit_name]
command = 'git show -s --format="%<(25,mtrunc)%s"'
style = "italic"
when = true

Impact

This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41815

GHSA ID

GHSA-vx24-x4mv-vwr5

EPSS Score

0.2808%

CWE

CWE-77

Published

7/26/2024

Updated

9/19/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starship	rust	>= 1.0.0, <= 1.19.0	1.20.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how custom command output was handled in the StringFormatter. The pre-patch code in src/modules/custom.rs used map_no_escaping for the 'output' variable, which disabled escaping of special characters. This is shown in the commit diff where output handling was moved to a variables_closure and made conditional on the new unsafe_no_escape flag. The addition of escaping by default (using .map() instead of .map_no_escaping()) in the patched version directly addresses the command injection vulnerability. The test cases added in the commit (output_is_escaped and unsafe_no_escape) further confirm this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## **s*ription St*rs*ip is * *ross-s**ll prompt. St*rtin* in v*rsion *.*.* *n* prior to v*rsion *.**.*, un*o*um*nt** *n* unpr**i*t**l* s**ll *xp*nsion *n*/or quotin* rul*s m*k* it **sily to ***i**nt*lly **us* s**ll inj**tion w**n usin* *ustom *omm*n

Reasoning

T** vuln*r**ility st*ms *rom *ow *ustom *omm*n* output w*s **n*l** in t** Strin**orm*tt*r. T** pr*-p*t** *o** in sr*/mo*ul*s/*ustom.rs us** m*p_no_*s**pin* *or t** 'output' v*ri**l*, w*i** *is**l** *s**pin* o* sp**i*l ***r**t*rs. T*is is s*own in t**

7.4

Basic Information

Concerned about an active attack path?

CVE-2024-41815: Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands

Description

PoC

Impact

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-41815:
Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands

Vulnerability Intelligence
Miggo AI