CVE-2025-59844
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sonarsource | sonarqube_scan_action | 6.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection issue in SonarQube GitHub Action versions 4.0.0 to before 6.0.0 on Windows runners. It occurs when workflows pass user-controlled input to the args parameter without proper validation, allowing attackers to execute arbitrary commands. This bypasses a previous security fix and can lead to exposure of sensitive environment variables and compromise of the runner environment. The issue is fixed in version 6.0.0 and later.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary commands on the affected system, potentially exposing sensitive environment variables and compromising the runner environment. This can lead to unauthorized access, data leakage, and further system compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SonarQube GitHub Action to version 6.0.0 or later, as this version contains the fix for the command injection vulnerability. Avoid using vulnerable versions (4.0.0 to before 6.0.0) especially on Windows runners where user-controlled input is passed to the args parameter.