CVE-2026-32948
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
Description
### Summary On Windows, sbt uses `Process("cmd", "/c", ...)` to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because `cmd /c` interprets `&`, `|`, and `;` as command separators, a malicious fragment can execute arbitrary commands. ### Patched version Technically, sbt 1.12.7 is patched, but it has a bug that makes source dependency non-functional, so update to **sbt 1.12.8** or later instead. ### Details - [Resolvers.scala L84–95](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L84-L95) — git resolver passes `uri.getFragment()` to `run()` without sanitization - [Resolvers.scala L137–145](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L137-L145) — `run()` uses `Process("cmd", "/c", ...)` on Windows, so `cmd` interprets `&&` as command separator ### PoC ```sh # build.properties # sbt.version=1.12.5 # Tested on those two versions of sbt sbt.version=2.0.0-RC9 ``` ```scala // build.sbt ThisBuild / scalaVersion := "2.12.19" lazy val root = project .in(file(".")) .dependsOn(vulnerable) lazy val vulnerable = RootProject( uri("https://github.com/sbt/io.git#develop%26%26calc.exe") ) ``` ### Impact Windows users are impacted. An attacker can execute arbitrary Windows commands if they control the dependency URI.
How to fix CVE-2026-32948
To remediate CVE-2026-32948, upgrade the affected package to a fixed version below.
- —upgrade to 1.12.8 or later
Is CVE-2026-32948 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.9.5, < 1.12.8