GHSA-xjr7-3c3g-m763
MEDIUMRenovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
renovatenpmDescription
Summary
The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization.
Details
Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
All values added to the packagesToUpdate variable in lib/modules/manager/gleam/artifacts.ts are not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 39.53.0 (https://github.com/renovatebot/renovate/commit/d29698e0131231652970f02765312769975e4d38), released on December 6 of 2024.
PoC
- Create a git repo with the following content:
renovate.json5:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
customDatasources: {
always: {
defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
},
},
packageRules: [
{
// Target of the day
matchManagers: ["gleam"],
// Trick the manager in believing there's a new version
overrideDatasource: "custom.always",
},
],
}
gleam.toml:
name = "renovate-aci-2"
version = "0.0.1"
[dependencies]
"|| kill 1" = "0.1.0"
manifest.toml:
non-empty file
- Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of
kill 1, terminating the root process of the container.
Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | renovate | ≥ 39.53.0&&< 40.33.0 | 40.33.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for renovate. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update renovate to 40.33.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xjr7-3c3g-m763 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xjr7-3c3g-m763 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xjr7-3c3g-m763. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xjr7-3c3g-m763 in your dependencies?
O3 detects GHSA-xjr7-3c3g-m763 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.