PT-2025-42410 — Code Injection em Github Actions J178/Prek-Action

PT-2025-42410 · Github Actions · J178/Prek-Action

Publicado

2025-09-29

Atualizado

2025-09-29

CVSS v3.1

9.9

Crítica

Vetor

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml .

Details

The GitHub Action variables inputs.prek-version, inputs.extra args, and inputs.extra-args can be used to execute arbitrary code in the context of the action.

PoC

yaml

- uses: j178/prek-action@v1.0.5
 with:
  prek-version: $(printenv >> $GITHUB STEP SUMMARY && echo "0.2.2")
  extra args: '&& echo "MY SECRET with a character is: ${MY SECRET:0:1}a${MY SECRET:1}" >> $GITHUB STEP SUMMARY && echo ""'
 env:
  MY SECRET: ${{ secrets.MY SECRET }}

The previous example will print all the environment variables, and it will expose MY SECRET environment variable value to the summary of the workflow. An attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Critical, CWE-94

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

GHSA-PWF7-47C3-MFHX

Produtos afetados

J178/Prek-Action