CVE-2024-41127

Name of the Vulnerable Software and Affected Versions Monkeytype versions prior to 24.30.0

Description The issue concerns a Poisoned Pipeline Execution through Code Injection in the ci-failure-comment.yml GitHub Workflow of Monkeytype. This vulnerability allows attackers to gain pull-requests write access by exploiting the lack of validation in the steps.pr num reader.outputs.content WorkFlow variable, which is later interpolated into a JS script. This enables an attacker to change the code to be executed.

Recommendations For Monkeytype versions prior to 24.30.0, update to version 24.30.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the ci-failure-comment.yml workflow to minimize the risk of exploitation. Avoid using the steps.pr num reader.outputs.content variable in the affected workflow until the issue is resolved.