Executive Summary

CVE-2025-58178 is a command injection vulnerability in the SonarQube Scan GitHub Action versions 4 to 5.3.0. The vulnerability occurs because the action processes untrusted input arguments without proper sanitization, treating them as shell expressions. This allows an attacker to inject and execute arbitrary commands on the system where the action runs. The issue arises from improper handling of special shell characters in the input arguments, leading to potential execution of unintended commands. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with local access and low privileges to execute arbitrary commands within the environment running the SonarQube Scan GitHub Action. This can lead to severe impacts including unauthorized disclosure of confidential information, modification or corruption of data, and disruption of service availability. Since the vulnerability has a high CVSS score (7.8) with high confidentiality, integrity, and availability impacts, exploitation could compromise the security and stability of your CI/CD workflows and underlying systems. [2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether the SonarQube Scan GitHub Action improperly executes shell commands passed as input arguments. Detection involves passing potentially malicious payloads as arguments to the action and verifying that these inputs are not executed but treated as literal strings. Examples of such payloads include logical operators (&&, ;), backticks (`command`), dollar sign command substitutions ($(command)), pipes (|), redirections (> , <), and wildcard expansions (*). The tests inspect output files (e.g., output.properties) to confirm that the inputs are preserved exactly without execution. While no specific commands are provided, the approach involves running the GitHub Action with crafted inputs like `-Dsonar.someArg=aValue && echo "Injection"` or `-Dsonar.arg1="$(whoami)"` and checking for unintended command execution. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update the SonarQube Scan GitHub Action to version 5.3.1 or later, which includes patches to properly sanitize input arguments and prevent command injection. Additionally, review your GitHub workflows using this action and avoid using dynamically computed shell-style arguments in the `args` input. Instead, use supported GitHub Actions expression syntax (e.g., `${{ }}`) to safely pass variables. If your workflows reference `sonarqube-scan-action@v5`, they will automatically receive the patched version without manual intervention. Also, ensure that deprecated actions like `SonarSource/sonarcloud-github-action` are updated to avoid referencing vulnerable versions internally. [2, 3]

Useful 0 Not Useful 0