CVE-2025-58178
HIGHSonarSource/sonarqube-scan-action 4.0.0-5.3.0 - Command Injection via Unsanitized Input Arguments
Title source: llmDescription
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands. A fix has been released in SonarQube Scan GitHub Action 5.3.1.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88
Issue Tracking x_refsource_misc
https://github.com/SonarSource/sonarqube-scan-action/pull/200
Patch x_refsource_misc
https://github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733e179a03ad408ad4e88ba
Various Sources x_refsource_misc
https://community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-action/147696
Various Sources x_refsource_misc
https://sonarsource.atlassian.net/browse/SQSCANGHA-101
Scores
CVSS v3
7.8
EPSS
0.0112
EPSS Percentile
62.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (2)
GitHub Actions/SonarSource/sonarqube-scan-action
4.0.0 - 5.3.1GitHub Actions
SonarSource/sonarqube-scan-action
>= 4, < 5.3.1
Published
Sep 02, 2025
Tracked Since
Feb 18, 2026