CVE-2025-59844 is a high-severity OS command injection vulnerability affecting the SonarSource sonarqube-scan-action GitHub Action versions from 4.0.0 up to but not including 6.0.0. SonarQube is a widely used static code analysis tool that integrates into CI/CD pipelines to ensure code quality and security. The vulnerability arises specifically on Windows runners when user-controlled input is passed to the 'args' parameter without proper sanitization or validation. This improper neutralization of special elements (CWE-78) allows an attacker to inject arbitrary OS commands that the runner executes. Exploitation can lead to arbitrary command execution within the CI environment, potentially exposing sensitive environment variables such as credentials or tokens, and compromising the runner's integrity and confidentiality. Notably, this vulnerability bypasses a previous security fix, indicating a regression or incomplete remediation. The issue does not require user interaction but does require some level of privileges (low privileges) and authenticated access to influence the workflow inputs. The vulnerability has been addressed in version 6.0.0 of the sonarqube-scan-action, and users are strongly advised to upgrade. No known exploits are currently reported in the wild, but the ease of exploitation and potential impact make this a critical risk in CI/CD environments using affected versions on Windows runners.

For European organizations, this vulnerability poses a significant risk to the security of their software development pipelines. Many enterprises in Europe rely on GitHub Actions and SonarQube for continuous integration and code quality assurance. Successful exploitation could lead to unauthorized command execution on build agents, resulting in exposure of sensitive environment variables such as API keys, credentials, or tokens used in the pipeline. This could cascade into further compromise of internal systems or cloud environments. Additionally, the integrity of the build process could be undermined, allowing attackers to inject malicious code or backdoors into software artifacts. Given the increasing regulatory scrutiny in Europe around data protection (e.g., GDPR), such a compromise could lead to data breaches and significant compliance penalties. The vulnerability's presence in Windows runners is particularly impactful since many enterprise CI/CD environments use Windows-based build agents for .NET or other Windows-centric development. The lack of known exploits in the wild currently provides a window for mitigation, but the high CVSS score (7.7) and ease of exploitation mean European organizations should prioritize patching to avoid potential supply chain attacks or insider threat exploitation.

1. Immediate upgrade of the sonarqube-scan-action GitHub Action to version 6.0.0 or later, where the vulnerability is fixed. 2. Review and restrict workflow inputs, especially the 'args' parameter, to ensure only trusted and validated data is passed. Implement strict input validation and sanitization to prevent injection of special characters or commands. 3. Limit permissions of GitHub Actions workflows to the minimum necessary, using GitHub's permission model to restrict access to secrets and environment variables. 4. Use dedicated, isolated runners with minimal privileges and network access to reduce the blast radius of any potential compromise. 5. Monitor CI/CD pipeline logs and environment for unusual command executions or unexpected behavior. 6. Consider implementing additional runtime security controls on build agents, such as endpoint detection and response (EDR) tools, to detect anomalous processes or command executions. 7. Educate developers and DevOps teams about the risks of injecting untrusted input into CI/CD workflows and promote secure coding and pipeline configuration practices.