Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
In JetBrains Junie before 252.549.29 command execution was possible via malicious project file
AnalysisAI
Command execution in JetBrains Junie before version 252.549.29 allows local attackers to execute arbitrary commands by crafting malicious project files, requiring user interaction to open the file. The vulnerability affects all Junie versions prior to the patched release and exploits unsafe handling of project file content without proper sanitization.
Technical ContextAI
JetBrains Junie is an IDE that processes project configuration files during workspace initialization. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input from malicious project files is passed to command execution functions without adequate validation or escaping. When Junie parses a crafted project file, unsanitized data reaches shell execution routines, allowing injection of arbitrary commands. This is a classic command injection vulnerability where metacharacters or command separators embedded in project file data are not neutralized before being interpreted by the shell.
RemediationAI
Vendor-released patch: JetBrains Junie 252.549.29 or later. Users must upgrade to the fixed version immediately via the JetBrains update mechanism or by downloading the latest release from jetbrains.com. No workaround exists for older versions; the only mitigation is patching. In environments where immediate upgrade is infeasible, restrict user ability to open untrusted project files by disabling auto-loading of projects from untrusted sources, though this degrades usability. Additionally, monitor for suspicious project file sources and educate users not to open project files from unknown or untrusted origins. See https://www.jetbrains.com/privacy-security/issues-fixed/ for official details.
In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54
In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23430