AsfhtgkDavid theshit up to 0.1.0 ~/.config/theshit/ privileges management

Summaryinfo

A vulnerability identified as critical has been detected in AsfhtgkDavid theshit up to 0.1.0. This vulnerability affects unknown code of the file ~/.config/theshit/. The manipulation leads to privileges management. This vulnerability is traded as CVE-2025-69257. An attack has to be approached locally. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in AsfhtgkDavid theshit up to 0.1.0 and classified as critical. This issue affects some unknown functionality of the file ~/.config/theshit/. The manipulation with an unknown input leads to a privileges management vulnerability. Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user's environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-69257 since 12/30/2025. The exploitation is known to be difficult. An attack has to be approached locally. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 0.1.1 eliminates this vulnerability. Applying the patch 8e0b565e7876a83b0e1cfbacb8af39dadfdcc500 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• AsfhtgkDavid

Name

• theshit

Version

• 0.1.0

License

• open-source

Website

• Product: https://github.com/AsfhtgkDavid/theshit/

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion