CVE-2025-67640
MEDIUMJenkins Git client Plugin < 6.4.1 - OS Command Injection via Workspace Directory Name
Title source: llmDescription
Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614
Scores
CVSS v3
5.0
EPSS
0.0005
EPSS Percentile
16.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
Status
published
Products (2)
jenkins/git_client
< 6.4.1
org.jenkins-ci.plugins/git-client
0 - 6.4.1Maven
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026