PT-2025-35523 · Sonarqube · Sonarqube
Torbjorn-Svensson
·
Published
2025-09-02
·
Updated
2025-09-22
·
CVE-2025-58178
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SonarQube versions 4 through 5.3.0
Description
SonarQube is a static analysis solution for continuous code quality and security inspection. A command injection issue was identified in the SonarQube Scan GitHub Action. Untrusted input arguments are processed without proper sanitization, allowing potential execution of arbitrary commands. Arguments sent to the action are treated as shell expressions.
Recommendations
Update to SonarQube Scan GitHub Action version 5.3.1 or later.
Exploit
Fix
DoS
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sonarqube