Source: gradle-completion Version: 1.3.1-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gradle-completion. CVE-2026-25063[0]: | gradle-completion provides Bash and Zsh completion support for | Gradle. A command injection vulnerability was found in gradle- | completion up to and including 9.3.0 that allows arbitrary code | execution when a user triggers Bash tab completion in a project | containing a malicious Gradle build file. The `gradle-completion` | script for Bash fails to adequately sanitize Gradle task names and | task descriptions, allowing command injection via a malicious Gradle | build file when the user completes a command in Bash (without them | explicitly running any task in the build). For example, given a task | description that includes a string between backticks, then that | string would be evaluated as a command when presenting the task | description in the completion list. While task execution is the core | feature of Gradle, this inherent execution may lead to unexpected | outcomes. The vulnerability does not affect zsh completion. The | first patched version is 9.3.1. As a workaround, it is possible and | effective to temporarily disable bash completion for Gradle by | removing `gradle-completion` from `.bashrc` or `.bash_profile`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25063 https://www.cve.org/CVERecord?id=CVE-2026-25063 [1] https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv [2] https://github.com/gradle/gradle-completion/commit/f0034a8a44b8191e5b764cf9b0211cade6ee55d7 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
