CVE-2025-58178
📋 TL;DR
A command injection vulnerability in SonarQube Scan GitHub Action versions 4 to 5.3.0 allows attackers to execute arbitrary commands by injecting malicious shell expressions through untrusted input arguments. This affects organizations using vulnerable versions of the SonarQube Scan GitHub Action in their CI/CD pipelines.
💻 Affected Systems
- SonarQube Scan GitHub Action
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the GitHub Actions runner environment, allowing attackers to steal secrets, modify source code, deploy malicious artifacts, and pivot to internal systems.
Likely Case
Execution of arbitrary commands within the GitHub Actions runner context, potentially leading to credential theft, repository tampering, or supply chain attacks.
If Mitigated
Limited impact due to restricted runner permissions, network segmentation, and proper secret management, though some command execution may still occur.
🎯 Exploit Status
Exploitation requires control over GitHub Actions workflow inputs, which could come from pull requests, forked repositories, or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.1
Vendor Advisory: https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88
Restart Required: No
Instructions:
1. Update your GitHub Actions workflow YAML file to use 'SonarSource/sonarqube-scan-action@v5.3.1' or later. 2. Commit and push the changes to trigger a new workflow run.
🔧 Temporary Workarounds
Pin to safe version
allManually specify a safe version of the action in your workflow file
- uses: SonarSource/sonarqube-scan-action@v5.3.1
Input validation
linuxAdd explicit input validation in your workflow before passing to SonarQube action
- name: Validate inputs
run: |
if [[ "${{ inputs.some_arg }}" =~ [^a-zA-Z0-9._-] ]]; then
echo "Invalid input"
exit 1
fi
🧯 If You Can't Patch
- Disable or remove SonarQube Scan Action from workflows
- Implement strict code review for all pull requests modifying GitHub Actions workflows
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Actions workflow YAML files for 'SonarSource/sonarqube-scan-action' usage with version below 5.3.1Check Version:
grep -r "SonarSource/sonarqube-scan-action" .github/workflows/Verify Fix Applied:
Verify workflow YAML uses 'SonarSource/sonarqube-scan-action@v5.3.1' or later📡 Detection & Monitoring
Log Indicators:
- Unexpected shell commands in GitHub Actions logs
- Suspicious process execution in runner logs
- Failed workflow runs with command injection errors
Network Indicators:
- Unexpected outbound connections from GitHub Actions runners
- DNS requests to suspicious domains from runner containers
SIEM Query:
source="github-actions" AND ("command injection" OR "shell injection" OR "unexpected command")🔗 References
- https://community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-action/147696
- https://github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733e179a03ad408ad4e88ba
- https://github.com/SonarSource/sonarqube-scan-action/pull/200
- https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88
- https://sonarsource.atlassian.net/browse/SQSCANGHA-101
