Vulnerabilites related to tj-actions - branch-names
CVE-2023-49291 (GCVE-0-2023-49291)
Vulnerability from cvelistv5
Published
2023-12-04 23:21
Modified
2024-08-02 21:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | branch-names |
Version: < 7.0.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"
},
{
"name": "https://securitylab.github.com/research/github-actions-untrusted-input",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/research/github-actions-untrusted-input"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "branch-names",
"vendor": "tj-actions",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T23:21:33.367Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"
},
{
"name": "https://securitylab.github.com/research/github-actions-untrusted-input",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/research/github-actions-untrusted-input"
}
],
"source": {
"advisory": "GHSA-8v8w-v8xg-79rf",
"discovery": "UNKNOWN"
},
"title": "Improper Sanitization of Branch Name Leads to Arbitrary Code Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49291",
"datePublished": "2023-12-04T23:21:33.367Z",
"dateReserved": "2023-11-24T16:45:24.313Z",
"dateUpdated": "2024-08-02T21:53:44.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54416 (GCVE-0-2025-54416)
Vulnerability from cvelistv5
Published
2025-07-26 03:34
Modified
2025-07-28 18:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6 | x_refsource_CONFIRM | |
| https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f | x_refsource_MISC | |
| https://github.com/tj-actions/branch-names/releases/tag/v9.0.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | branch-names |
Version: < 9.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54416",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T15:28:06.240335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:55:45.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "branch-names",
"vendor": "tj-actions",
"versions": [
{
"status": "affected",
"version": "\u003c 9.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names\u0027 GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:34:31.288Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6"
},
{
"name": "https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f"
},
{
"name": "https://github.com/tj-actions/branch-names/releases/tag/v9.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tj-actions/branch-names/releases/tag/v9.0.0"
}
],
"source": {
"advisory": "GHSA-gq52-6phf-x2r6",
"discovery": "UNKNOWN"
},
"title": "tj-actions/branch-names Contains Command Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54416",
"datePublished": "2025-07-26T03:34:31.288Z",
"dateReserved": "2025-07-21T23:18:10.280Z",
"dateUpdated": "2025-07-28T18:55:45.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-12-05 00:15
Modified
2024-11-21 08:33
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tj-actions | branch-names | * | |
| tj-actions | branch-names | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tj-actions:branch-names:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4AB0A58B-E056-49E3-9CD4-063AF78D1ECB",
"versionEndExcluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tj-actions:branch-names:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04A7066A-CDAB-4C39-AD1F-87ADAF23495A",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "7.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "tj-actions/branch-names es una acci\u00f3n de Github para recuperar nombres de ramas o etiquetas con soporte para todos los eventos. Las GitHub Actions `tj-actions/branch-names` hacen referencia incorrectamente a las variables de contexto `github.event.pull_request.head.ref` y `github.head_ref` dentro de un paso de `ejecuci\u00f3n` de GitHub Actions. La variable head ref es el nombre de la rama y se puede usar para ejecutar c\u00f3digo arbitrario usando un nombre de rama especialmente manipulado. Como resultado, un atacante puede utilizar esta vulnerabilidad para robar secretos o abusar de los permisos \"GITHUB_TOKEN\". Esta vulnerabilidad se ha solucionado en la versi\u00f3n 7.0.7. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-49291",
"lastModified": "2024-11-21T08:33:12.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-05T00:15:09.403",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/research/github-actions-untrusted-input"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/research/github-actions-untrusted-input"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}