kamal-2.5.3.gem: 1 vulnerabilities (highest severity is: 2.8) #41
Description
Vulnerable Library - kamal-2.5.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/thor-1.3.2.gem
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (kamal version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-54314 |  Low |
2.8 | thor-1.3.2.gem | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-54314
Vulnerable Library - thor-1.3.2.gem
Thor is a toolkit for building powerful command-line interfaces.
Library home page: https://rubygems.org/gems/thor-1.3.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/thor-1.3.2.gem
Dependency Hierarchy:
- kamal-2.5.3.gem (Root Library)
- ❌ thor-1.3.2.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
Publish Date: 2025-07-20
URL: CVE-2025-54314
CVSS 3 Score Details (2.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-07-20
Fix Resolution: https://github.com/rails/thor.git - v1.4.0