CVE-2014-2905 in fish
Summary
by MITRE
fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/12/2026
The vulnerability identified as CVE-2014-2905 affects the fish shell version 1.16.0 and earlier versions before 2.1.1, specifically targeting the universal variable socket mechanism that enables inter-process communication between different fish shell instances. This flaw resides in the improper credential validation process that occurs when establishing connections through the /tmp/fishd.socket.user socket file, creating a privilege escalation vector for local attackers. The issue stems from insufficient permission checks on the socket file that allows unauthorized users to establish connections and potentially execute commands with elevated privileges.
The technical implementation of this vulnerability exploits the design assumption that only authorized users could access the fishd socket file, which is typically created with restrictive permissions. However, due to inadequate credential verification during socket connection establishment, malicious local users can bypass these security measures and gain access to the universal variable communication channel. This mechanism allows attackers to manipulate shared variables between shell instances, potentially leading to privilege escalation through the execution of arbitrary code with elevated privileges. The vulnerability specifically impacts systems where multiple users operate fish shell instances simultaneously, as the socket file becomes a shared resource that should be properly secured.
From an operational impact perspective, this vulnerability represents a significant security risk for multi-user systems where fish shell is actively used, particularly in enterprise environments or shared computing resources. Attackers can leverage this flaw to execute privilege escalation attacks that may ultimately allow them to gain root access or access to sensitive system resources. The attack requires local access to the system but does not necessitate network connectivity, making it particularly concerning for environments where physical access control is insufficient. The vulnerability affects the fundamental security model of the fish shell's inter-process communication system, undermining the trust relationships between different user sessions.
The mitigation strategy for CVE-2014-2905 involves upgrading to fish shell version 2.1.1 or later, which includes proper credential validation mechanisms for the universal variable socket. System administrators should also implement proper file permission controls on the socket directory and ensure that the /tmp/fishd.socket.user files are created with appropriate access controls. Additional defensive measures include monitoring for unauthorized access attempts to the fishd socket and implementing process monitoring to detect suspicious activity related to shell instance communication. This vulnerability aligns with CWE-284, which addresses improper access control, and maps to ATT&CK technique T1068, which covers privilege escalation through local exploitation mechanisms. Organizations should also consider implementing mandatory access controls and regular security audits to prevent exploitation of similar credential validation flaws in other system components.