High severity7.8OSV Advisory· Published Sep 2, 2025· Updated Apr 15, 2026
CVE-2025-58178
CVE-2025-58178
Description
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands. A fix has been released in SonarQube Scan GitHub Action 5.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
SonarSource/sonarqube-scan-actionGitHub Actions | >= 4.0.0, < 5.3.1 | 5.3.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f79p-9c5r-xg88ghsaADVISORY
- community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-action/147696nvdWEB
- github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733e179a03ad408ad4e88banvdWEB
- github.com/SonarSource/sonarqube-scan-action/pull/200nvdWEB
- github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88nvdWEB
- sonarsource.atlassian.net/browse/SQSCANGHA-101nvdWEB
News mentions
0No linked articles in our index yet.