CVE-2025-59844

Github Actions Sonarsource/sonarqube-... - OS Command Injection

Title source: rule

Description

SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. The vulnerability has been fixed in version 6.0.0. Users should upgrade to this version or later.

References (3)

[Various Sources] https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281

[Vendor Advisory] https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-5xq9-5g24-4g6f

[Release Notes] https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0

Scores

EPSS 0.0019

EPSS Percentile 40.0%

Classification

CWE

CWE-78

Status draft

Affected Products (1)

GitHub Actions/SonarSource/sonarqube-scan-action < 6.0.0GitHub Actions

Timeline

Published Sep 26, 2025

Tracked Since Feb 18, 2026