GHSA-5xq9-5g24-4g6f (CVE-2025-59844)

Details

A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.

Patches

The vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later.

Credits

Francois Lajeunesse-Robert (Boostsecurity.io)

References

Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281
Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0

Affected Packages

GitHub ActionsSonarSource/sonarqube-scan-action

Fixed in:

6.0.0

References

WEBhttps://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281 PACKAGEhttps://github.com/SonarSource/sonarqube-scan-action WEBhttps://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0 WEBhttps://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-5xq9-5g24-4g6f ADVISORYhttps://github.com/advisories/GHSA-5xq9-5g24-4g6f ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-59844

GHSA-5xq9-5g24-4g6f

Details

Patches

Credits

References

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline