CVE-2025-67640: Jenkins Git client Plugin has an OS command injection vulnerability on agents in Git client Plugin

December 10, 2025

Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.

References

github.com/advisories/GHSA-v8hg-m323-jvjq
github.com/jenkinsci/git-client-plugin
github.com/jenkinsci/git-client-plugin/commit/5a271e5d1d08bd45cdb3c3541856d2dc2abf0dbc
nvd.nist.gov/vuln/detail/CVE-2025-67640
www.jenkins.io/security/advisory/2025-12-10/

Code Behaviors & Features

Detect and mitigate CVE-2025-67640 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →