CVE-2026-25063: gradle-completion has a Bash command injection issue

Published Jan 29, 2026
·
Updated

gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The gradle-completion script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing gradle-completion from .bashrc or .bashprofile.

Affected Software

2 affected components
npm/gradle-completion<=9.3.0
Gradle Gradle-completion Gradle<=9.3.0

Remediation

Patch Available

https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7

Patch Available

https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv

Event History

Jan 29, 2026
CVE Published
via MITRE·09:47 PM
Data Sourced
via MITRE·09:47 PM
DescriptionWeakness
Data Sourced
via NVD·10:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-25063?

CVE-2026-25063 is classified as a high-severity command injection vulnerability.

2

How do I fix CVE-2026-25063?

Upgrade gradle-completion to version 9.4.0 or later to mitigate the vulnerability.

3

What impact does CVE-2026-25063 have on my system?

CVE-2026-25063 allows an attacker to execute arbitrary code on the system through malicious Gradle build files.

4

Who is affected by CVE-2026-25063?

All users of gradle-completion versions 9.3.0 and earlier are potentially affected by CVE-2026-25063.

5

When was CVE-2026-25063 disclosed?

CVE-2026-25063 was disclosed as part of ongoing security assessments of the gradle-completion tool.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203