skip to content
Back to
Home Bounties Research Advisories Get Involved Events
May 12, 2021

GHSL-2020-337_338: Arbitrary code execution when cloning/checking out a Gradle project - CVE-2021-29263

Alvaro Munoz

Coordinated Disclosure Timeline


Upon cloning or checking out a Gradle project from an external repository (Get from VCS), both IntelliJ IDEA and Android Studio, run the gradle build task.


Tested Version

Build #IC-203.5981.155, built on November 30, 2020

Build #AI-201.8743.12.41.6953283, built on November 5, 2020


Issue: Code execution when cloning/checking out a repository

When cloning or checking out a repository containing a Gradle project, Android Studio and IntelliJ will try to run the build task immediately without asking for a user confirmation that would give them the opportunity to analyze the build script.

If an attacker fools a developer into cloning or checking out a malicious repository, they will be able to run arbitrary code as part of the repository clone or checkout operation. For example, an attacker could hide a malware dropper using the Gradle’s Exec or try something more stealthy.

apply plugin: 'java'

sourceCompatibility = 1.8
targetCompatibility = 1.8

void checkRequirements(){
    exec {
      executable 'touch'
      args '/tmp/pwned_from_gradle'



When searching for similar patterns I found the exact same issue being discussed as a malware spread vector which highlights why this issue should be addressed. In addition a similar vulnerability (CVE-2020-17156) was recently fixed in MS Visual Studio.


Arbitrary Code Execution on repository cloning/checkout.




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2020-337, GHSL-2020-338 in any communication regarding this issue.