CVE-2025-67640 — Jenkins Git client Plugin has an OS command injection vulnerability on agents in

Description

Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.

How to fix CVE-2025-67640

To remediate CVE-2025-67640, upgrade the affected package to a fixed version below.

—upgrade to 6.4.1 or later

Is CVE-2025-67640 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67640
PATCHgithub.com/jenkinsci/git-client-plugin
WEBgithub.com/jenkinsci/git-client-plugin/commit/5a271e5d1d08bd45cdb3c3541856d2dc2abf0dbc
WEBwww.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614