Bug#1126696: gradle-completion: CVE-2026-25063

Fri Jan 30 19:46:46 GMT 2026

Source: gradle-completion
Version: 1.3.1-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for gradle-completion.

CVE-2026-25063[0]:
| gradle-completion provides Bash and Zsh completion support for
| Gradle. A command injection vulnerability was found in gradle-
| completion up to and including 9.3.0 that allows arbitrary code
| execution when a user triggers Bash tab completion in a project
| containing a malicious Gradle build file. The `gradle-completion`
| script for Bash fails to adequately sanitize Gradle task names and
| task descriptions, allowing command injection via a malicious Gradle
| build file when the user completes a command in Bash (without them
| explicitly running any task in the build). For example, given a task
| description that includes a string between backticks, then that
| string would be evaluated as a command when presenting the task
| description in the completion list. While task execution is the core
| feature of Gradle, this inherent execution may lead to unexpected
| outcomes. The vulnerability does not affect zsh completion. The
| first patched version is 9.3.1. As a workaround, it is possible and
| effective to temporarily disable bash completion for Gradle by
| removing `gradle-completion` from `.bashrc` or `.bash_profile`.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-25063
    https://www.cve.org/CVERecord?id=CVE-2026-25063
[1] https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv
[2] https://github.com/gradle/gradle-completion/commit/f0034a8a44b8191e5b764cf9b0211cade6ee55d7

Regards,
Salvatore