Hi there @azuchi! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Hi @claidlaw-figment, thanks for your interest in improving this advisory.

As the maintainer of bitcoinrb and the author of this advisory, I'd like to provide some context on why the severity was set to Low.

The RPC server in question is part of an experimental SPV node feature that is:

• Designed exclusively for local communication, not intended to be exposed to the internet
• Undocumented and incomplete — the SPV node functionality was never finished
• Not used in production by anyone, to my knowledge
• Planned for removal in a future release

While I agree that command injection is a serious vulnerability class in general, the practical impact here is essentially zero given the above context. Raising Confidentiality, Integrity, and Availability to High based solely on the vulnerability category, without considering the actual deployment context, would misrepresent the real-world risk and could generate unnecessary high-severity alerts for bitcoinrb users via dependency scanning tools.

I believe the current severity of Low accurately reflects the actual risk of this vulnerability, and I would prefer it remain unchanged.

Hi @claidlaw-figment
We agree with the maintainer here on a Low severity scoring and will not be updating the CVSS score.