CVE-2025-67640

CWE-78 — OS Command Injection6 documents6 sources

Severity

5.0MEDIUM

EPSS

0.1%

top 67.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins GIT Client Jenkins Project Jenkins GIT Client Plugin

Timeline

PublishedDec 10

Description

Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:git-client< 6.4.1

▶CVEListV5jenkins_project/jenkins_git_client_plugin6.4.0

▶NVDjenkins/git_client< 6.4.1

🔴Vulnerability Details

OSV

Jenkins Git client Plugin has an OS command injection vulnerability on agents in Git client Plugin↗2025-12-10

▶

GHSA

Jenkins Git client Plugin has an OS command injection vulnerability on agents in Git client Plugin↗2025-12-10

▶

CVEList

CVE-2025-67640: Jenkins Git client Plugin 6↗2025-12-10

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2025-12-10↗2025-12-10

▶

🕵️Threat Intelligence

Wiz

CVE-2025-67640 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶