Moderate severityOSV Advisory· Published Dec 10, 2025· Updated Dec 10, 2025
CVE-2025-67640
CVE-2025-67640
Description
Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:git-clientMaven | < 6.4.1 | 6.4.1 |
Affected products
2- Range: git-client-1.0.0, git-client-1.0.1, git-client-1.0.2, …
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v8hg-m323-jvjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67640ghsaADVISORY
- www.jenkins.io/security/advisory/2025-12-10/ghsavendor-advisoryWEB
- github.com/jenkinsci/git-client-plugin/commit/5a271e5d1d08bd45cdb3c3541856d2dc2abf0dbcghsaWEB
News mentions
1- Jenkins Security Advisory 2025-12-10Jenkins Security Advisories · Dec 10, 2025