Hi,

Can you help me please,

What is the version with issues?, and are there a patch?

Thanks

I would consider this an invalid CVE as this is intended behavior outlined within Sublime Text’s Build System’s documentation (https://www.sublimetext.com/docs/build_systems.html#exec-target-options). Check the reference website from the CVE record (https://www.cve.org/CVERecord?id=CVE-2024-25255) and make the determination for yourself.

What a bullshit CVE!

ST’s build system is just an entry point to run shell scripts.

What the CVE describes as “OS Command Injection” is by design the primary function of ST’s build system.

Can you start harmfull shell scripts by hitting ctrl+b. For sure, but you can do so with a make as well.

New sh/bash/zsh vulnerability found. You can launch one of those, <your reverse shell code goes here>, hit enter, your reverse shell should now be active! 🤦