CVE-2022-35954

Name of the Vulnerable Software and Affected Versions @actions/core versions prior to v1.9.1

Description The core.exportVariable function uses a well-known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Recommendations For versions prior to v1.9.1, upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, modify your action to ensure that any user input does not contain the delimiter GitHubActionsFileCommandDelimeter before calling core.exportVariable.