CVE-2025-27148: 
Gradle vulnerability analysis and mitigation

A security vulnerability (CVE-2025-27148) was discovered in Gradle, a build automation tool, affecting version 8.12. The vulnerability stems from the native-platform tool's interaction with system temporary directories on Unix-like systems, where open permissions could allow multiple users to create and delete files. The issue was discovered and disclosed on February 25, 2025, affecting specifically Gradle 8.12 and net.rubygrapefruit:native-platform versions prior to 0.22-milestone-28 (GitHub Advisory, Native Platform Advisory).

The vulnerability occurs when the native integration library initialization takes a default path, relying on copying binaries to the system temporary directory. The issue specifically manifests when the Native.get(Class<>) method is called without first calling Native.init(File) with a non-null argument as working file path. This causes the library to initialize itself using the system temporary directory, exposing the vulnerability. The vulnerability has been assigned a CVSS score of 8.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability could allow a local attacker to perform privilege escalation by quickly deleting and recreating files in the system temporary directory. Any execution of Gradle 8.12 exposed this exploit, potentially allowing attackers to execute commands at elevated privilege levels. The vulnerability affects Unix-like systems, while Windows and modern versions of macOS users are not vulnerable (Security Online).

The vulnerability has been patched in Gradle version 8.12.1 and 8.13. For users unable to upgrade immediately, several workarounds are available: 1) On Unix-like operating systems, ensure the "sticky" bit is set on the temporary directory, 2) Mount /tmp as noexec, or 3) Move the Java temporary directory by setting the System Property java.io.tmpdir to a location with limited permissions for the build user only (GitHub Advisory).