CVE-2025-59844 HIGH

CVE-2025-59844: Argument injection vulnerability in SonarQube Scan Action

Vendor Sonarsource

Product sonarqube-scan-action

Weakness CWE-78

Published September 26, 2025

Last update September 26, 2025

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. The vulnerability has been fixed in version 6.0.0. Users should upgrade to this version or later.

Key dates

02Disclosure timeline

September 26, 2025 CVE published

September 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59844

Related vulnerabilities

CVE-2025-59844: Argument injection vulnerability in SonarQube Scan Action

01Description

02Disclosure timeline

03References

04Related CVE