Description
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Shopify Tophat allows an attacker to inject shell commands through query parameters that are forwarded to /bin/bash -c during URL parsing. The unsanitized input can trigger arbitrary code execution on a developer's macOS workstation while using any user‑level privileges. The weakness is a classic command injection (CWE‑78).

Affected Systems

Developers using Shopify Tophat versions older than 2.5.1 on macOS are affected. The vulnerability is triggered by specially crafted tophat:// or http://localhost:29070 URLs accessed from a web browser. No confirmation dialog appears for previously trusted build hosts, and the local service listening on port 29070 accepts requests from any user’s browser. All installations of Tophat before the 2.5.1 release are susceptible.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to supply a malicious link that a developer opens in a browser, which then contacts the local Tophat service and causes unsafe command execution. Based on the description, this is not a direct external network exploitation, but it can be abused through social engineering or phishing. The impact is that executed commands run with the user's permissions, potentially allowing a compromise of the development machine.

Generated by OpenCVE AI on April 8, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Shopify Tophat version 2.5.1 or newer, which removes the vulnerable URL parsing.
  • Avoid clicking or opening any tophat:// or http://localhost:29070 URLs on machines running Tophat.
  • If Tophat is not required, disable or firewall the local service on port 29070.

Generated by OpenCVE AI on April 8, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify tophat
Vendors & Products Shopify
Shopify tophat

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.
Title Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Shopify Tophat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:50:05.156Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39862

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:26.403

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:33Z

Weaknesses