#1126696 gradle-completion: CVE-2026-25063

Package:
src:gradle-completion
Source:
src:gradle-completion
Submitter:
Salvatore Bonaccorso
Date:
2026-02-08 14:41:01 UTC
Severity:
normal
Tags:
#1126696#5
Date:
2026-01-30 19:46:46 UTC
From:
To:
Hi,

The following vulnerability was published for gradle-completion.

CVE-2026-25063[0]:
| gradle-completion provides Bash and Zsh completion support for
| Gradle. A command injection vulnerability was found in gradle-
| completion up to and including 9.3.0 that allows arbitrary code
| execution when a user triggers Bash tab completion in a project
| containing a malicious Gradle build file. The `gradle-completion`
| script for Bash fails to adequately sanitize Gradle task names and
| task descriptions, allowing command injection via a malicious Gradle
| build file when the user completes a command in Bash (without them
| explicitly running any task in the build). For example, given a task
| description that includes a string between backticks, then that
| string would be evaluated as a command when presenting the task
| description in the completion list. While task execution is the core
| feature of Gradle, this inherent execution may lead to unexpected
| outcomes. The vulnerability does not affect zsh completion. The
| first patched version is 9.3.1. As a workaround, it is possible and
| effective to temporarily disable bash completion for Gradle by
| removing `gradle-completion` from `.bashrc` or `.bash_profile`.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-25063
https://www.cve.org/CVERecord?id=CVE-2026-25063
[1] https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv
[2] https://github.com/gradle/gradle-completion/commit/f0034a8a44b8191e5b764cf9b0211cade6ee55d7

Regards,
Salvatore

#1126696#10
Date:
2026-02-08 14:39:29 UTC
From:
To:
A malicious Gradle build file executes arbitrary code and can trivially
cause harm to the system, with completion enabled or not. I'm
downgrading the severity because gradle-completion doesn't deserve to be
removed, the blame is on the user fetching and building an untrusted
project.