CVE-2024-42482
CVE-2024-42482 is a medium-severity vulnerability in Fish-shop Syntax-check with a CVSS 3.x base score of 4.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-140.
Key facts
- Severity: Medium (CVSS 3.x base score 4.8)
- EPSS exploit prediction: 1% (53rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-2685
- Weakness: CWE-140
- Affected product: Fish-shop Syntax-check
- Published:
- Last modified:
Description
fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.
Frequently asked questions
- What is CVE-2024-42482?
- fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.
- How severe is CVE-2024-42482?
- CVE-2024-42482 has a CVSS 3.x base score of 4.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2024-42482 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (53rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-42482?
- CVE-2024-42482 affects Fish-shop Syntax-check. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-42482?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-42482 have an EU (EUVD) identifier?
- Yes. CVE-2024-42482 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2685.
- When was CVE-2024-42482 published?
- CVE-2024-42482 was published on 2024-08-12 and last updated on 2026-06-17.
References
- https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03
- https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca
- https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2
Affected products (1)
- cpe:2.3:a:fish-shop:syntax-check:*:*:*:*:*:*:*:*
Other CWE-140 vulnerabilities
- CVE-2025-32918 — High (CVSS 8.8): Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk…
- CVE-2024-38865 — High (CVSS 8.8): Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to…
- CVE-2025-47779 — High (CVSS 7.7): Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of…
- CVE-2026-33456 — High (CVSS 7.6): Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with…
- CVE-2023-6157 — High (CVSS 7.6): Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and <…
- CVE-2023-6156 — High (CVSS 7.6): Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, <…