GHSA Advisory · Coordinated Disclosure

GHSA-j425-whc4-4jgc

OpenClaw

system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_*

CVSS6.3

SeverityMedium

TypeGHSA

Summary

GHSA-j425-whc4-4jgc: system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_*. CVSS 6.3, Medium severity. Reported and coordinated through the GitHub Security Advisory database.

References

GitHub Advisory DB↗ Reporter profile↗

Context

This advisory is part of coordinated disclosures alongside 23 published CVEs and 5 Linux kernel patches. For methodology see research.

disclosure contextall advisories →

advisories

All GHSAs →

coordinated security advisories

same methodology, your stack

Author

Kai Aizen

Independent offensive security researcher. 23 published CVEs, 5 Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.

about services github x linkedin researchgate