Command Injection Affecting github.com/sqls-server/sqls package, versions >=0.1.0 <0.2.29


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
1.13% (63rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMSQLSSERVERSQLS-13789393
  • published31 Oct 2025
  • disclosed30 Oct 2025
  • creditLukman E

Introduced: 30 Oct 2025

CVE-2025-61141  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade github.com/sqls-server/sqls to version 0.2.29 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection via the openEditor() function when the EDITOR environment variable and configuration file path that are passed unsanitized to a shell command. An attacker can execute arbitrary system commands by manipulating the EDITOR environment variable.

References

CVSS Base Scores

version 4.0
version 3.1