Vulnerability Description
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands. A fix has been released in SonarQube Scan GitHub Action 5.3.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-a
- https://github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733
- https://github.com/SonarSource/sonarqube-scan-action/pull/200
- https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f7
- https://sonarsource.atlassian.net/browse/SQSCANGHA-101
FAQ
What is CVE-2025-58178?
CVE-2025-58178 is a vulnerability with a CVSS score of 7.8 (HIGH). SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube ...
How severe is CVE-2025-58178?
CVE-2025-58178 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-58178?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.