CVE-2026-25063
Unknown Unknown - Not Provided
Command Injection in Gradle-Completion Bash Leads to Code Execution

Publication date: 2026-01-29

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gradle gradle-completion to 9.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in gradle-completion up to version 9.3.0, which provides Bash and Zsh completion support for Gradle. Specifically, the Bash completion script fails to properly sanitize Gradle task names and descriptions. If a malicious Gradle build file contains task descriptions with strings enclosed in backticks, those strings are executed as commands when a user triggers Bash tab completion. This allows an attacker to execute arbitrary code without the user explicitly running any Gradle task. The vulnerability does not affect Zsh completion and was fixed in version 9.3.1.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system when you use Bash tab completion in a Gradle project containing a malicious build file. An attacker could exploit this to run unauthorized commands with the privileges of the user triggering the completion, potentially compromising your system or data. Since the vulnerability triggers without explicit task execution, it can be exploited simply by attempting to complete commands in Bash.

Mitigation Strategies

To mitigate this vulnerability immediately, you can disable Bash completion for Gradle by removing the gradle-completion script from your .bashrc or .bash_profile files. Additionally, upgrading gradle-completion to version 9.3.1 or later will patch the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart