GHSA-pfq2-hh62-7m96: Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`

January 13, 2026

Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime.

References

github.com/advisories/GHSA-pfq2-hh62-7m96
github.com/renovatebot/renovate
github.com/renovatebot/renovate/releases/tag/42.68.5
github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96

Code Behaviors & Features

Detect and mitigate GHSA-pfq2-hh62-7m96 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →