Vulnerability	Vulnerable Version
H Command Injection renovate is a dependency updater. Affected versions of this package are vulnerable to Command Injection via the `distributionUrl` parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitution syntax into the `distributionUrl` value into the `gradle-wrapper.properties` file. This can lead to unauthorized file access, data exfiltration, or modification of resources accessible to the process. Note: Users of composer, yarn (v1) or flux managers, should consider upgrading to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working. How to fix Command Injection? Upgrade `renovate` to version 42.68.5 or higher.	>=32.124.0 <42.68.5

Command Injection

renovate is a dependency updater.

Affected versions of this package are vulnerable to Command Injection via the distributionUrl parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitution syntax into the distributionUrl value into the gradle-wrapper.properties file. This can lead to unauthorized file access, data exfiltration, or modification of resources accessible to the process.

Note:

Users of composer, yarn (v1) or flux managers, should consider upgrading to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working.

How to fix Command Injection?

Upgrade renovate to version 42.68.5 or higher.

>=32.124.0 <42.68.5

Go back to all versions of this package