Listen to this Post
The vulnerability, CVE-2025-XXXXX, is an argument injection flaw in the SonarQube Scan Action for GitHub. It affects Windows runners using versions prior to 6.0.0. The issue arises when user-supplied, untrusted input is passed to the action’s `args` parameter. Internally, these arguments are used to construct a command line for the SonarScanner. Due to insufficient sanitization on Windows, specially crafted input containing metacharacters like `&` or `|` can break out of the intended argument context. This allows an attacker to inject and execute arbitrary shell commands with the permissions of the GitHub runner. The vulnerability bypasses a previous security fix, enabling complete compromise of the runner environment and exposure of secrets.
Platform: GitHub Actions
Version: <6.0.0
Vulnerability: Argument Injection
Severity: High
date: 2025-09-25
Prediction: Patch available (2025-09-26)
What Undercode Say:
Example of a vulnerable workflow step - name: SonarQube Scan uses: SonarSource/[email protected] with: args: -Dsonar.projectKey=myProject --version 1.0 & whoami Simulating argument parsing on Windows echo "Original args: -Dsonar.projectKey=myProject --version 1.0 & whoami" cmd /c "sonar-scanner -Dsonar.projectKey=myProject --version 1.0 & whoami"
How Exploit:
An attacker with commit rights can modify a workflow file to include malicious input in the `args` parameter. When the workflow runs on a Windows runner, the injected commands execute, potentially exfiltrating secrets like GITHUB_TOKEN.
Protection from this CVE:
Upgrade to version 6.0.0 immediately. Avoid passing user-controlled data directly to the `args` parameter. Implement strict input validation and use allowlists for expected values in workflows.
Impact:
Arbitrary command execution on the Windows runner, leading to full compromise of the CI/CD environment, theft of repository secrets, and potential supply chain attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
