{"id":3520648,"name":"github.com/Shopify/ejson2env","ecosystem":"go","description":"","homepage":"https://github.com/Shopify/ejson2env","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/Shopify/ejson2env","keywords_array":[],"namespace":"github.com/Shopify","versions_count":8,"first_release_published_at":"2018-08-31T19:29:09.000Z","latest_release_published_at":"2021-02-01T18:17:28.000Z","latest_release_number":"v2.0.1+incompatible","last_synced_at":"2026-06-27T01:12:23.649Z","created_at":"2022-04-10T22:07:10.763Z","updated_at":"2026-06-27T01:12:23.649Z","registry_url":"https://pkg.go.dev/github.com/Shopify/ejson2env","install_command":"go get github.com/Shopify/ejson2env","documentation_url":"https://pkg.go.dev/github.com/Shopify/ejson2env#section-documentation","metadata":{},"repo_metadata":{"id":32934805,"uuid":"146931217","full_name":"Shopify/ejson2env","owner":"Shopify","description":"Decrypt EJSON secrets and export them as environment variables.","archived":false,"fork":false,"pushed_at":"2025-10-15T22:03:42.000Z","size":289,"stargazers_count":86,"open_issues_count":8,"forks_count":18,"subscribers_count":364,"default_branch":"main","last_synced_at":"2025-10-20T05:39:01.256Z","etag":null,"topics":["containers","ejson","shell-scripting"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Shopify.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-31T18:51:18.000Z","updated_at":"2025-10-19T07:52:00.000Z","dependencies_parsed_at":"2024-05-08T01:37:16.598Z","dependency_job_id":"50d31142-d81e-4861-9f8a-950130c71272","html_url":"https://github.com/Shopify/ejson2env","commit_stats":{"total_commits":59,"total_committers":15,"mean_commits":3.933333333333333,"dds":0.711864406779661,"last_synced_commit":"599588fc9e99234169c5301867ee13011606fb47"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/Shopify/ejson2env","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shopify","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280350840,"owners_count":26315923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"Shopify","name":"Shopify","uuid":"8085","kind":"organization","description":"","email":"engineering@shopify.engineering","website":"https://shopify.engineering/","location":"The Internet","twitter":"ShopifyEng","company":null,"icon_url":"https://avatars.githubusercontent.com/u/8085?v=4","repositories_count":1036,"last_synced_at":"2025-10-20T01:56:32.664Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/Shopify","funding_links":[],"total_stars":151261,"followers":7259,"following":0,"created_at":"2022-11-02T16:20:36.277Z","updated_at":"2025-10-20T01:56:32.664Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shopify","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shopify/repositories"},"tags":[{"name":"v2.0.7","sha":"30cf0967871f8e47accbf0b9e1093d1aa61cf50a","kind":"commit","published_at":"2025-02-03T16:18:00.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.7","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.7","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.7","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.7/manifests"},{"name":"v2.0.6","sha":"15b83d766041ed689fcd2b35c025a85f0a088f79","kind":"commit","published_at":"2024-05-29T18:58:42.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.6","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.6","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.6","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.6/manifests"},{"name":"v2.0.5","sha":"463f91a47f5834787d8f4b76373fd83a2ca4ef3b","kind":"commit","published_at":"2022-04-18T15:05:44.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.5","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.5","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.5","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.5/manifests"},{"name":"v2.0.4","sha":"d5df4493da9da279d8be07735847546347ed5698","kind":"commit","published_at":"2022-03-30T20:21:33.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.4","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.4/manifests"},{"name":"v2.0.3","sha":"ac894dd9be867aa0af73b6e0d0318082b20e3b4b","kind":"commit","published_at":"2022-03-23T19:10:09.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.3","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.3/manifests"},{"name":"v2.0.2","sha":"5aed389140fb735b57bc15f27ebd9fbb7848709a","kind":"commit","published_at":"2021-10-26T21:41:06.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.2","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.2/manifests"},{"name":"v2.0.1","sha":"eb9fa961bb4f4529e6bddaf1dc0e9501ebc4cc7b","kind":"commit","published_at":"2021-02-01T18:17:28.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.1","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.1/manifests"},{"name":"v2.0.0","sha":"6bee362eca88b585e71f58b5ca5fbaa15380b199","kind":"tag","published_at":"2019-09-09T19:30:32.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v2.0.0","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v2.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v2.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v2.0.0/manifests"},{"name":"v1.1.0","sha":"88364195ba46ff7101d2c585017faa5c70f8b672","kind":"tag","published_at":"2018-10-02T15:28:03.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.1.0","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"2ba5b3ba59db55826fb657a7a50f111c8f94df2f","kind":"commit","published_at":"2018-09-17T18:07:30.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.0.4","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"fde702326ffa264f6211fc2f9e0a22377e6f4c3e","kind":"commit","published_at":"2018-09-12T16:59:17.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.0.3","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"1ff44896a78041b21672afe32f0ee00d14a084f2","kind":"commit","published_at":"2018-09-05T18:55:43.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.0.2","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"4af275a8098b125a99b1732fed756595c7514487","kind":"commit","published_at":"2018-08-31T19:38:15.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.0.1","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"5a2f2a422bfbede5762387cd88b90421c25a0b7b","kind":"commit","published_at":"2018-08-31T19:29:09.000Z","download_url":"https://codeload.github.com/Shopify/ejson2env/tar.gz/v1.0.0","html_url":"https://github.com/Shopify/ejson2env/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/Shopify/ejson2env@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2025-10-21T23:28:28.217Z","dependent_packages_count":1,"downloads":null,"downloads_period":null,"dependent_repos_count":1,"rankings":{"downloads":null,"dependent_repos_count":5.013535486562248,"dependent_packages_count":5.422166311216818,"stargazers_count":5.664599122021534,"forks_count":5.224839774565079,"docker_downloads_count":null,"average":5.33128517359142},"purl":"pkg:golang/github.com/%21shopify/ejson2env","advisories":[{"uuid":"GSA_kwCzR0hTQS0yYzQ3LW03NTctMzJnNs4ABIMs","url":"https://github.com/advisories/GHSA-2c47-m757-32g6","title":"Insufficient input sanitization in ejson2env ","description":"### Summary\nThe `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.\n\n### Details\nThe vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.\n\n### Impact\nAn attacker with control over  `.ejson` files can inject commands in the environment where `source $(ejson2env)`  or `eval ejson2env` are executed.\n\n\n### Mitigation\n- Update to a version of `ejson2env` that sanitizes the output during decryption or\n- Do not use `ejson2env` to decrypt untrusted user secrets or\n- Do not evaluate or execute the direct output from `ejson2env` without removing nonprintable characters.\n\n### Credit\nThanks to security researcher [Demonia](https://hackerone.com/demonia?type=user) for reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2025-05-21T18:32:37.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.6,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6","https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840","https://nvd.nist.gov/vuln/detail/CVE-2025-48069","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ejson2env/CVE-2025-48069.yml","https://github.com/advisories/GHSA-2c47-m757-32g6"],"source_kind":"github","identifiers":["GHSA-2c47-m757-32g6","CVE-2025-48069"],"repository_url":"https://github.com/Shopify/ejson2env","blast_radius":1.0,"created_at":"2025-05-21T19:08:19.296Z","updated_at":"2026-06-26T00:03:48.997Z","epss_percentage":0.01334,"epss_percentile":0.67516,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzQ3LW03NTctMzJnNs4ABIMs","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0yYzQ3LW03NTctMzJnNs4ABIMs","packages":[{"ecosystem":"go","package_name":"github.com/Shopify/ejson2env","versions":[{"first_patched_version":null,"vulnerable_version_range":"\u003c 2.0.8"}],"purl":"pkg:go/github.com%2FShopify%2Fejson2env"},{"ecosystem":"rubygems","package_name":"ejson2env","versions":[{"first_patched_version":"2.0.8","vulnerable_version_range":"\u003c 2.0.8"}],"purl":"pkg:gem/ejson2env"},{"ecosystem":"go","package_name":"github.com/Shopify/ejson2env/v2","versions":[{"first_patched_version":"2.0.8","vulnerable_version_range":"\u003c 2.0.8"}],"purl":"pkg:go/github.com%2FShopify%2Fejson2env%2Fv2"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzQ3LW03NTctMzJnNs4ABIMs/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/Shopify/ejson2env","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/Shopify/ejson2env","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/Shopify/ejson2env/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2025-10-16T01:01:17.752Z","issues_count":6,"pull_requests_count":149,"avg_time_to_close_issue":59503134.0,"avg_time_to_close_pull_request":3306972.4166666665,"issues_closed_count":6,"pull_requests_closed_count":120,"pull_request_authors_count":24,"issue_authors_count":5,"avg_comments_per_issue":1.3333333333333333,"avg_comments_per_pull_request":0.5369127516778524,"merged_pull_requests_count":64,"bot_issues_count":0,"bot_pull_requests_count":97,"past_year_issues_count":0,"past_year_pull_requests_count":53,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1664977.8064516129,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":31,"past_year_pull_request_authors_count":6,"past_year_issue_authors_count":0,"past_year_avg_comments_per_issue":null,"past_year_avg_comments_per_pull_request":0.4716981132075472,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":43,"past_year_merged_pull_requests_count":8,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fejson2env/issues","maintainers":[{"login":"Owen-Cummings","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Owen-Cummings"},{"login":"rafaelfranca","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rafaelfranca"},{"login":"burke","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/burke"}],"active_maintainers":[{"login":"Owen-Cummings","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Owen-Cummings"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2FShopify%2Fejson2env/codemeta","maintainers":[]}