CVE-2025-58178
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sonarsource | sonarqube_scan_github_action | 4 |
| sonarsource | sonarqube_scan_github_action | 5.3.1 |
| sonarsource | sonarqube_scan_github_action | 5.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58178 is a command injection vulnerability in the SonarQube Scan GitHub Action versions 4 to 5.3.0. The vulnerability occurs because the action processes untrusted input arguments without proper sanitization, treating them as shell expressions. This allows an attacker to inject and execute arbitrary commands on the system where the action runs. The issue arises from improper handling of special shell characters in the input arguments, leading to potential execution of unintended commands. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access and low privileges to execute arbitrary commands within the environment running the SonarQube Scan GitHub Action. This can lead to severe impacts including unauthorized disclosure of confidential information, modification or corruption of data, and disruption of service availability. Since the vulnerability has a high CVSS score (7.8) with high confidentiality, integrity, and availability impacts, exploitation could compromise the security and stability of your CI/CD workflows and underlying systems. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the SonarQube Scan GitHub Action improperly executes shell commands passed as input arguments. Detection involves passing potentially malicious payloads as arguments to the action and verifying that these inputs are not executed but treated as literal strings. Examples of such payloads include logical operators (&&, ;), backticks (`command`), dollar sign command substitutions ($(command)), pipes (|), redirections (> , <), and wildcard expansions (*). The tests inspect output files (e.g., output.properties) to confirm that the inputs are preserved exactly without execution. While no specific commands are provided, the approach involves running the GitHub Action with crafted inputs like `-Dsonar.someArg=aValue && echo "Injection"` or `-Dsonar.arg1="$(whoami)"` and checking for unintended command execution. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the SonarQube Scan GitHub Action to version 5.3.1 or later, which includes patches to properly sanitize input arguments and prevent command injection. Additionally, review your GitHub workflows using this action and avoid using dynamically computed shell-style arguments in the `args` input. Instead, use supported GitHub Actions expression syntax (e.g., `${{ }}`) to safely pass variables. If your workflows reference `sonarqube-scan-action@v5`, they will automatically receive the patched version without manual intervention. Also, ensure that deprecated actions like `SonarSource/sonarcloud-github-action` are updated to avoid referencing vulnerable versions internally. [2, 3]