Microsoft has introduced a new security prompt in Windows PowerShell 5.1 to mitigate a high‑severity remote code execution vulnerability (CVE‑2025‑54100). This change is aimed at protecting enterprise and IT‑managed environments where PowerShell automation is widely used.
What Changed
- Affected versions: PowerShell 5.1 (default on Windows 10 & 11).
- New behavior: When running
Invoke-WebRequest(orcurl, which is aliased to it), PowerShell now warns that scripts embedded in downloaded web pages could execute. - Prompt options:
- No / Enter → cancels the operation and suggests rerunning with
-UseBasicParsing. - Yes → continues with full HTML parsing, accepting the risk of script execution.
- No / Enter → cancels the operation and suggests rerunning with
- Safer alternative: Use the
-UseBasicParsingparameter to avoid executing any script code during parsing.
Why It Matters
- CVE‑2025‑54100: A remote code execution flaw tied to unsafe parsing of web content.
- Risk profile: Primarily impacts enterprise automation scripts; less common in consumer environments.
- Alignment with PowerShell 7: Brings the same secure parsing process to PowerShell 5.1.
Admin Guidance
- Update required: Install KB5074204 to enable the new warning prompt.
- Modify automation scripts: Explicitly add
-UseBasicParsingto avoid manual confirmation prompts. - Check aliases: Remember that
curlin PowerShell maps toInvoke-WebRequest, so the same warnings apply.
Key Takeaways
- Most scripts that only download content or handle response bodies as text/data will continue to work without changes.
- Scripts relying on full HTML parsing may need adjustments to handle the new prompt.
- This update reduces the risk of silent script execution from malicious or compromised web content.
Leave a Reply