CVE-2026-25063

Name of the Vulnerable Software and Affected Versions gradle-completion versions prior to 9.3.1

Description gradle-completion offers Bash and Zsh completion support for Gradle. A command injection issue exists in versions up to and including 9.3.0, potentially leading to arbitrary code execution. This occurs when a user triggers Bash tab completion within a project containing a crafted Gradle build file. The Bash completion script inadequately sanitizes Gradle task names and descriptions. Specifically, a malicious Gradle build file can inject commands when the user completes a command in Bash. The issue stems from the script evaluating strings between backticks within task descriptions as commands when displaying the completion list. This does not affect zsh completion. The vulnerability does not require task execution to be triggered.

Recommendations Update to gradle-completion version 9.3.1 or later. As a temporary workaround, remove gradle-completion from .bashrc or .bash profile to disable Bash completion for Gradle.