CVE-2025-61141: sqls-server/sqls is vulnerable to command injection in the config command
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78565%
CWE
Published
10/30/2025
Updated
10/31/2025
KEV Status
No
Technology
Go
GoTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/sqls-server/sqls | go | = 0.2.28 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability exists in the openEditor function in main.go. The function was responsible for opening the configuration file in an editor. The vulnerability was introduced by the use of exec.Command("sh", "-c", command), which passes the command to the shell for execution. The command variable was constructed by concatenating the editor program (from the EDITOR environment variable) and the file path. An attacker could set a malicious EDITOR environment variable (e.g., vim; id) to execute arbitrary commands. The patch fixes this by using exec.Command(program, args...), which executes the program directly without a shell, thus preventing command injection.
Vulnerable functions
openEditormain.go
The `openEditor` function was vulnerable to command injection because it used `exec.Command("sh", "-c", ...)` to execute an external editor. The `program` argument, which is derived from the `EDITOR` environment variable, was concatenated with other arguments and passed to the shell. This allowed an attacker to control the `EDITOR` environment variable to execute arbitrary commands.