CVE-2026-25063
📋 TL;DR
A command injection vulnerability in gradle-completion up to version 9.3.0 allows arbitrary code execution when users trigger Bash tab completion in projects with malicious Gradle build files. The vulnerability occurs because the script fails to properly sanitize Gradle task names and descriptions, allowing backtick-enclosed strings to be executed as commands during completion. This affects developers and system administrators using gradle-completion with Bash shell.
💻 Affected Systems
- gradle-completion
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the privileges of the user running bash completion, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or execution of malicious commands in the context of the user's shell environment when they tab-complete Gradle commands in a compromised project.
If Mitigated
Limited impact if users only work with trusted Gradle projects or have restricted shell environments.
🎯 Exploit Status
Exploitation requires the attacker to place a malicious Gradle build file in a project directory that the victim accesses. The victim must then trigger Bash tab completion in that directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.3.1
Vendor Advisory: https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv
Restart Required: No
Instructions:
1. Update gradle-completion to version 9.3.1 or later. 2. For manual update: git clone https://github.com/gradle/gradle-completion.git, copy the updated completion script to your bash completion directory. 3. Reload your shell or source the updated completion script.
🔧 Temporary Workarounds
Disable gradle-completion
linuxTemporarily remove gradle-completion from your Bash configuration to prevent exploitation
# Remove from .bashrc or .bash_profile
sed -i '/gradle-completion/d' ~/.bashrc ~/.bash_profile
# Then reload shell or run:
source ~/.bashrc
Switch to Zsh completion
linuxUse Zsh shell instead of Bash as the vulnerability doesn't affect Zsh completion
# Install Zsh if not present
sudo apt-get install zsh # Debian/Ubuntu
sudo yum install zsh # RHEL/CentOS
# Then switch default shell:
chsh -s $(which zsh)
🧯 If You Can't Patch
- Only work with trusted Gradle projects from verified sources
- Avoid using tab completion in directories with unfamiliar Gradle build files
🔍 How to Verify
Check if Vulnerable:
Check if gradle-completion version is 9.3.0 or earlier by examining the script header or checking installation methodCheck Version:
grep -i 'version' $(which gradle-completion) 2>/dev/null || echo 'gradle-completion not found in PATH'Verify Fix Applied:
Verify gradle-completion version is 9.3.1 or later. Test tab completion in a test directory with a Gradle build file containing backticks in task descriptions.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution during shell tab completion
- Suspicious processes spawned from bash completion context
Network Indicators:
- Outbound connections from bash completion processes
SIEM Query:
process.name:bash AND process.args:*gradle* AND process.parent.name:bash