CVE-2026-54557 in miseinfo

Summary

by MITRE • 06/26/2026

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/26/2026

The mise tool manager serves as a comprehensive development environment manager that handles multiple programming languages and build tools including node, python, cmake, and terraform. This vulnerability affects versions prior to 2026.6.1 where the HTTP backend implementation contains a critical path manipulation flaw in how it constructs symbolic link destinations during tool installations. The issue stems from inconsistent handling of version string sanitization between different installation pathways within the mise system.

The technical flaw manifests when mise processes non-latest version specifications through its HTTP backend mechanism. While regular tool installation paths properly sanitize version strings to create safe directory names, the HTTP backend directly incorporates the raw resolved version string into symlink path construction without proper sanitization. This discrepancy becomes particularly dangerous on unix-like operating systems where PathBuf::join behavior causes path resolution issues when absolute paths are present in version identifiers.

When a repository-controlled .tool-versions file specifies a version that resolves to an absolute path, the unsanitized raw version string causes the symlink creation process to abandon the intended mise installation root directory. This vulnerability enables attackers to manipulate the installation process to create symbolic links outside of the designated mise installation tree, effectively allowing arbitrary filesystem modifications through legitimate tool management operations.

The operational impact extends beyond simple path manipulation when considering that the same vulnerability affects bin_path functionality. An attacker could potentially place executable symlinks under an attacker-selected absolute prefix such as a developer-tool directory that is subsequently added to the system PATH environment variable. This creates a privilege escalation vector where malicious executables could be executed with elevated permissions when developers run commands from their development environments.

This vulnerability aligns with CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery patterns, representing a directory traversal attack that leverages improper input validation in path construction. The ATT&CK framework categorizes this under T1059 Command and Scripting Interpreter and T1548 Abuse of Functionality where the legitimate tool management system is abused to create unauthorized filesystem modifications. The fix implemented in version 2026.6.1 addresses both the symlink path construction and bin_path handling by ensuring consistent sanitization of version strings across all installation pathways, thereby preventing unauthorized directory traversal and arbitrary symlink creation outside the intended mise installation scope.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

06/26/2026

Moderation

accepted

CPE

ready

EPSS

0.00175

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!