CVE-2025-67640

MEDIUM5.0EPSS 0.05%

Jenkins Git client Plugin has an OS command injection vulnerability on agents in Git client Plugin

Published: 12/10/2025Modified: 12/10/2025

Description

Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.

Affected packages (1)

Maven/org.jenkins-ci.plugins:git-clientfrom 0, < 6.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67640
PATCHhttps://github.com/jenkinsci/git-client-plugin
WEBhttps://github.com/jenkinsci/git-client-plugin/commit/5a271e5d1d08bd45cdb3c3541856d2dc2abf0dbc
WEBhttps://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614