Astral
Company Details
Linkedin ID:
astral-sh
Website:
Employees number:
29
Number of followers:
3,147
NAICS:
5112
Industry Type:
Homepage:
astral.sh
IP Addresses:
0
Company ID:
AST_2336229
Scan Status:
In-progress
Astral Company CyberSecurity Posture
astral.sh
Astral builds high-performance developer tools for the Python ecosystem, including uv (an all-in-one Python package and project manager) and Ruff (an extremely fast Python linter and formatter).
Astral A.I CyberSecurity Scoring
Astral Risk Score (AI oriented)Between 700 and 749
Astral
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Astral Global Score (TPRM)XXXX
Astral
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Astral Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Astral
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical vulnerability named TARmageddon (CVE-2025-62518) was discovered in the async-tar Rust library and its forks, including tokio-tar, which is widely used in Python and web development ecosystems. The flaw, with a CVSS score of 8.1 (High), allows remote code execution via malicious nested TAR archives, enabling attackers to overwrite configuration files and hijack build backends. Astral’s uv package manager, testcontainers, and wasmCloud were among the affected projects. The vulnerability stems from a desynchronization flaw in TAR parsing, where mismatched PAX and ustar headers cause the parser to incorrectly merge hidden malicious payloads with legitimate files. This enables Python build backend hijacking, container image poisoning, and bypassing security scans. While patches were released for active forks (e.g., astral-tokio-tar), the original tokio-tar (5M+ downloads) remains unpatched, leaving downstream users exposed unless they migrate. The incident highlights risks from abandoned open-source projects and the need for proactive dependency management. Astral took over maintenance of astral-tokio-tar as the recommended fix, but unpatched systems remain vulnerable to supply-chain attacks, CI/CD compromises, and malicious package distribution.
Astral Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Astral
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Astral in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Astral in 2026.
Incident Types Astral vs Software Development Industry Avg (This Year)
No incidents recorded for Astral in 2026.
Incident History — Astral (X = Date, Y = Severity)
Astral cyber incidents detection timeline including parent company and subsidiaries
Astral Company Subsidiaries
Astral builds high-performance developer tools for the Python ecosystem, including uv (an all-in-one Python package and project manager) and Ruff (an extremely fast Python linter and formatter).
Loading...
Astral Similar Companies
Groupon is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events and travel destinations, Groupon helps people find and discover experiences––big and small, new and
NiCE
NiCE is transforming the world with AI that puts people first. Our purpose-built AI-powered platforms automate engagements into proactive, safe, intelligent actions, empowering individuals and organizations to innovate and act, from interaction to resolution. Trusted by organizations throughout 150
Juniper Networks
Juniper Networks is leading the revolution in networking, making it one of the most exciting technology companies in Silicon Valley today. Since being founded by Pradeep Sindhu, Dennis Ferguson, and Bjorn Liencres nearly 20 years ago, Juniper’s sole mission has been to create innovative products and
Starting our journey in 2011, today, bigbasket - a Tata Enterprise is India’s largest online supermarket with over 13 million customers and a presence in 60+ cities & towns. With our presence spanning the entire spectrum of consumer needs, we operate through a range of business lines - bigbasket, bb
Just Eat Takeaway.com
Just Eat Takeaway.com is a leading global online delivery marketplace, connecting consumers and restaurants through our platform in 17 countries. Like a dinner table, working at JET brings our office employees and couriers together. From coding to customer service to couriers, JET is a
Siemens Digital Industries Software
We help organizations of all sizes digitally transform using software, hardware and services from the Siemens Xcelerator business platform. Our software and the comprehensive digital twin enable companies to optimize their design, engineering and manufacturing processes to turn today's ideas into th
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the world’s most complex and
Amazon is guided by four principles: customer obsession rather than competitor focus, passion for invention, commitment to operational excellence, and long-term thinking. We are driven by the excitement of building technologies, inventing products, and providing services that change lives. We embrac
Lazada
About Lazada Group Founded in 2012, Lazada Group is the leading eCommerce platform in Southeast Asia. We are accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. With the largest logistics and payments networks in the regio
.png)
Astral CyberSecurity News
November 18, 2025 08:00 AM
Bird Flu Recovery Boosts Astral Foods: Revenue Climbs to R22.6 Billion with R1 Billion Cash Pile
Johannesburg – Astral Foods, South Africa's top poultry producer, has staged a remarkable comeback after the devastating bird flu outbreaks...
October 23, 2025 07:00 AM
TARmageddon Vulnerability In Rust Library Let Attackers Replace Config Files And Execute Remote Codes
A severe vulnerability in the async-tar Rust library and its popular forks, including the widely used tokio-tar.
October 22, 2025 07:00 AM
TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution
Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks,...
October 22, 2025 07:00 AM
Forking confusing: Vulnerable Rust crate exposes uv Python packager
A vulnerability in the popular Rust crate async-tar has affected the fast uv Python package manager, which uses a forked version that's now...
October 20, 2025 07:00 AM
Warning to small businesses ahead of festive season and Black Friday
Six cybersecurity tips for small businesses to implement.
September 22, 2025 07:00 AM
TechD Cybersecurity Lists 90% Above IPO Price at ₹366.7
TechD Cybersecurity debuts on NSE Emerge at ₹366.70, nearly 90% above IPO price of ₹193; IPO subscribed 718x, stock hits upper circuit at...
September 22, 2025 07:00 AM
TechD Cybersecurity shares soar on debut, list 90% above issue price on NSE SME
TechD Cybersecurity shares made a strong debut on Dalal Street. The stock opened at a significant premium. The IPO saw overwhelming demand...
September 18, 2025 07:00 AM
TechD Cybersecurity IPO Allotment Status: Step-by-Step Guide for Investors
TechD Cybersecurity IPO allotment status finalises Sept 19 after record 668x subscription. Check status via Purva Sharegistry or NSE...
September 18, 2025 07:00 AM
TechD Cybersecurity IPO allotment to be finalised today: How to check status, GMP and listing outlook
TechD Cybersecurity will finalize its share allotment soon. The IPO saw huge demand, subscribing 718 times. Investors can check their...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Astral CyberSecurity History Information
Official Website of Astral
The official website of Astral is https://astral.sh.
Astral’s AI-Generated Cybersecurity Score
According to Rankiteo, Astral’s AI-generated cybersecurity score is 749, reflecting their Moderate security posture.
How many security badges does Astral’ have ?
According to Rankiteo, Astral currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Astral been affected by any supply chain cyber incidents ?
According to Rankiteo, Astral has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does Astral have SOC 2 Type 1 certification ?
According to Rankiteo, Astral is not certified under SOC 2 Type 1.
Does Astral have SOC 2 Type 2 certification ?
According to Rankiteo, Astral does not hold a SOC 2 Type 2 certification.
Does Astral comply with GDPR ?
According to Rankiteo, Astral is not listed as GDPR compliant.
Does Astral have PCI DSS certification ?
According to Rankiteo, Astral does not currently maintain PCI DSS compliance.
Does Astral comply with HIPAA ?
According to Rankiteo, Astral is not compliant with HIPAA regulations.
Does Astral have ISO 27001 certification ?
According to Rankiteo,Astral is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Astral
Astral operates primarily in the Software Development industry.
Number of Employees at Astral
Astral employs approximately 29 people worldwide.
Subsidiaries Owned by Astral
Astral presently has no subsidiaries across any sectors.
Astral’s LinkedIn Followers
Astral’s official LinkedIn profile has approximately 3,147 followers.
NAICS Classification of Astral
Astral is classified under the NAICS code 5112, which corresponds to Software Publishers.
Astral’s Presence on Crunchbase
No, Astral does not have a profile on Crunchbase.
Astral’s Presence on LinkedIn
Yes, Astral maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/astral-sh.
Cybersecurity Incidents Involving Astral
As of January 21, 2026, Rankiteo reports that Astral has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
Astral has an estimated 28,123 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Astral ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability.
How does Astral detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with edera security team, and containment measures with patches released for active forks (e.g., astral-tokio-tar), containment measures with recommendation to migrate from tokio-tar to maintained alternatives, and remediation measures with prioritize pax headers over ustar for size determination, remediation measures with validate header consistency, remediation measures with strict boundary checking in tar parsers, remediation measures with post-extraction directory scanning (mitigation), remediation measures with file count validation (mitigation), and recovery measures with astral’s takeover of astral-tokio-tar maintenance, recovery measures with guidance for manual upgrades/migration, and communication strategy with public vulnerability disclosure, communication strategy with decentralized outreach to fork maintainers via community sleuthing, communication strategy with developer advisories for uv/testcontainers/wasmcloud users, and enhanced monitoring with post-extraction validation checks..
Incident Details
Can you provide details on each incident ?
Title: TARmageddon Vulnerability (CVE-2025-62518) in async-tar and tokio-tar Libraries
Description: A critical vulnerability (CVE-2025-62518, severity 8.1 - High) in the async-tar Rust library and its derivative forks (e.g., tokio-tar) allows remote code execution via crafted nested TAR archives. The flaw enables attackers to overwrite configuration files and hijack build backends by exploiting desynchronization between PAX extended headers and ustar headers. The vulnerability affects major projects like Astral’s uv package manager, testcontainers, and wasmCloud. The unmaintained status of tokio-tar (5M+ downloads) complicates patching, forcing decentralized disclosure. Patches prioritize PAX headers and enforce strict validation, but unpatched systems remain at risk of Python build backend hijacking, container image poisoning, and security scan bypasses.
Type: Vulnerability
Attack Vector: Malicious TAR Archive Extraction (Nested Headers Desynchronization)Python Build Backend Hijacking (PyPI)Container Image Poisoning (Testcontainers)Security Scan Bypass (Hidden Files in Inner Archives)
Vulnerability Exploited: Cve Id: CVE-2025-62518, Severity: High (8.1), Description: Desynchronization flaw in TAR parser: prioritizes ustar headers (often size=0) over PAX extended headers, causing incorrect stream positioning and merging of hidden inner archive payloads with outer legitimate files., async-tartokio-tarastral-tokio-tar (pre-patch)uv package managertestcontainerswasmCloudRoot Cause: Logic bug in header size validation (PAX vs. ustar priority mismatch).
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
Impact of the Incidents
What was the impact of each incident ?
Incident : Vulnerability AST4632346102325
Systems Affected: Developer machines (via PyPI package installation)CI/CD pipelinesTestcontainers environmentswasmCloud deploymentsDownstream projects using tokio-tar (5M+ instances)
Operational Impact: Decentralized disclosure coordination challengesManual patching/migration required for unmaintained forksRisk of supply chain compromise via PyPI/testcontainers
Brand Reputation Impact: Erosion of trust in Rust ecosystem securityHighlighted risks of abandonware in critical dependencies
Which entities were affected by each incident ?
Incident : Vulnerability AST4632346102325
Entity Name: tokio-tar
Entity Type: Open-Source Library
Industry: Software Development
Size: 5M+ downloads (crates.io)
Customers Affected: Downstream Rust/Python projects
Incident : Vulnerability AST4632346102325
Entity Name: Astral (uv package manager)
Entity Type: Software Company
Industry: Developer Tools
Customers Affected: Python developers using uv
Incident : Vulnerability AST4632346102325
Entity Name: testcontainers
Entity Type: Open-Source Project
Industry: DevOps/Testing
Customers Affected: Teams using containerized testing
Incident : Vulnerability AST4632346102325
Entity Name: wasmCloud
Entity Type: Open-Source Project
Industry: WebAssembly/Cloud
Incident : Vulnerability AST4632346102325
Entity Name: Edera Security
Entity Type: Security Research Team
Industry: Cybersecurity
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Vulnerability AST4632346102325
Incident Response Plan Activated: True
Third Party Assistance: Edera Security Team.
Containment Measures: Patches released for active forks (e.g., astral-tokio-tar)Recommendation to migrate from tokio-tar to maintained alternatives
Remediation Measures: Prioritize PAX headers over ustar for size determinationValidate header consistencyStrict boundary checking in TAR parsersPost-extraction directory scanning (mitigation)File count validation (mitigation)
Recovery Measures: Astral’s takeover of astral-tokio-tar maintenanceGuidance for manual upgrades/migration
Communication Strategy: Public vulnerability disclosureDecentralized outreach to fork maintainers via community sleuthingDeveloper advisories for uv/testcontainers/wasmCloud users
Enhanced Monitoring: Post-extraction validation checks
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Edera Security Team, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Vulnerability AST4632346102325
File Types Exposed: Configuration filesBuild backend scriptsHidden payloads in inner TAR archives
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Prioritize PAX headers over ustar for size determination, Validate header consistency, Strict boundary checking in TAR parsers, Post-extraction directory scanning (mitigation), File count validation (mitigation), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by patches released for active forks (e.g., astral-tokio-tar), recommendation to migrate from tokio-tar to maintained alternatives and .
Ransomware Information
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Astral’s takeover of astral-tokio-tar maintenance, Guidance for manual upgrades/migration, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Vulnerability AST4632346102325
Lessons Learned: Rust’s memory safety does not prevent logic bugs (e.g., header parsing flaws)., Abandonware in critical dependencies creates systemic risk despite ecosystem popularity., Decentralized disclosure is resource-intensive and error-prone for unmaintained projects., Defense-in-depth strategies (e.g., post-extraction validation) are essential for supply chain security., Proactive library maintenance and successor planning are needed for open-source sustainability.
What recommendations were made to prevent future incidents ?
Incident : Vulnerability AST4632346102325
Recommendations: Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Implement runtime mitigations: post-extraction directory scanning, file count validation., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Rust’s memory safety does not prevent logic bugs (e.g., header parsing flaws).,Abandonware in critical dependencies creates systemic risk despite ecosystem popularity.,Decentralized disclosure is resource-intensive and error-prone for unmaintained projects.,Defense-in-depth strategies (e.g., post-extraction validation) are essential for supply chain security.,Proactive library maintenance and successor planning are needed for open-source sustainability.
References
Where can I find more information about each incident ?
Incident : Vulnerability AST4632346102325
Source: Edera Security Advisory
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Edera Security Advisory.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Vulnerability AST4632346102325
Investigation Status: Ongoing (patches released; unpatched tokio-tar remains vulnerable)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Vulnerability Disclosure, Decentralized Outreach To Fork Maintainers Via Community Sleuthing and Developer Advisories For Uv/Testcontainers/Wasmcloud Users.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Vulnerability AST4632346102325
Stakeholder Advisories: Developers Using Uv/Testcontainers/Wasmcloud, Maintainers Of Async-Tar/Tokio-Tar Forks, Rust/Python Ecosystem Security Teams.
Customer Advisories: Urgent patching/migration required for tokio-tar usersValidation steps for PyPI package consumersGuidance for secure TAR extraction in CI/CD
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Developers Using Uv/Testcontainers/Wasmcloud, Maintainers Of Async-Tar/Tokio-Tar Forks, Rust/Python Ecosystem Security Teams, Urgent Patching/Migration Required For Tokio-Tar Users, Validation Steps For Pypi Package Consumers, Guidance For Secure Tar Extraction In Ci/Cd and .
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Vulnerability AST4632346102325
Root Causes: Header Desynchronization (Pax Vs. Ustar Priority Mismatch), Lack Of Maintainer Responsiveness For Tokio-Tar (Abandonware), Absence Of Standardized Security Contacts For Open-Source Forks, Over-Reliance On Memory Safety Without Logic Bug Safeguards,
Corrective Actions: Patch Release Enforcing Pax Header Priority And Validation, Astral’S Adoption Of Tokio-Tar Maintenance (Astral-Tokio-Tar), Community-Driven Fork Audits And Maintainer Succession Planning, Enhanced Tar Parser Testing For Nested Archive Edge Cases,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Edera Security Team, , Post-Extraction Validation Checks, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patch Release Enforcing Pax Header Priority And Validation, Astral’S Adoption Of Tokio-Tar Maintenance (Astral-Tokio-Tar), Community-Driven Fork Audits And Maintainer Succession Planning, Enhanced Tar Parser Testing For Nested Archive Edge Cases, .
Additional Questions
Impact of the Incidents
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Developer machines (via PyPI package installation)CI/CD pipelinesTestcontainers environmentswasmCloud deploymentsDownstream projects using tokio-tar (5M+ instances).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was edera security team, .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Patches released for active forks (e.g. and astral-tokio-tar)Recommendation to migrate from tokio-tar to maintained alternatives.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive library maintenance and successor planning are needed for open-source sustainability.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enforce strict validation of TAR archive headers in build pipelines., Monitor PyPI/testcontainers for malicious packages exploiting TARmageddon., Migrate from tokio-tar to actively maintained alternatives (e.g., standard tar crate)., Audit dependencies for unmaintained forks and establish fallback maintenance plans., Immediately upgrade to patched versions (e.g., astral-tokio-tar for uv users)., Implement runtime mitigations: post-extraction directory scanning and file count validation..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is Edera Security Advisory.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (patches released; unpatched tokio-tar remains vulnerable).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Developers using uv/testcontainers/wasmCloud, Maintainers of async-tar/tokio-tar forks, Rust/Python ecosystem security teams, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Urgent patching/migration required for tokio-tar usersValidation steps for PyPI package consumersGuidance for secure TAR extraction in CI/CD.
.png)
Latest Global CVEs (Not Company-Specific)
Description
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
Risk Information
cvss3
Base: 8.1
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=astral-sh' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
