gradle gradle-completion up to 9.3.0 os command injection

Summaryinfo

A vulnerability, which was classified as critical, was found in gradle gradle-completion up to 9.3.0. This affects an unknown function. Executing a manipulation can lead to os command injection. This vulnerability is registered as CVE-2026-25063. The attack needs to be launched locally. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in gradle gradle-completion up to 9.3.0. This vulnerability affects some unknown functionality. The manipulation with an unknown input leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`.

The advisory is available at github.com. This vulnerability was named CVE-2026-25063 since 01/28/2026. The exploitation appears to be easy. Local access is required to approach this attack. The exploitation requires an enhanced level of successful authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1202 by the MITRE ATT&CK project.

The vulnerability scanner Nessus provides a plugin with the ID 297268 (Linux Distros Unpatched Vulnerability : CVE-2026-25063), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.3.1 eliminates this vulnerability. Applying the patch ecacc32bb882210e5d37cd79a74de1af0d0ccad7 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (297268) and EUVD (EUVD-2026-4943). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• gradle

Name

• gradle-completion

Version

• 9.0
• 9.1
• 9.2
• 9.3.0

License

• open-source

Website

• Product: https://github.com/gradle/gradle-completion/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion