CVE-2020-15228

Name of the Vulnerable Software and Affected Versions @actions/core versions prior to 1.2.6

Description The issue arises from the addPath and exportVariable functions in the @actions/core npm module, which communicate with the Actions Runner over stdout by generating a string in a specific format. This can lead to unintended modification of paths or environment variables when workflows log untrusted data to stdout. The problem is caused by the way commands are exchanged between the Action runner process and the executed action through the standard output stream (STDOUT), where the Actions Runner parses the standard output and identifies command markers.

Recommendations For versions prior to 1.2.6, upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in workflows with the new Environment File Syntax. As a temporary workaround, consider restricting the use of the addPath and exportVariable functions until the update is applied.