CVE-2024-47179

Name of the Vulnerable Software and Affected Versions RSSHub versions prior to commit 64e00e7

Description RSSHub's docker-test-cont.yml workflow is vulnerable to Artifact Poisoning, which could have led to a full repository takeover. The workflow gets triggered when the PR - Docker build test workflow completes successfully and downloads an artifact uploaded by the triggering workflow. However, prior to commit 64e00e7, it did not validate the contents of the artifact, allowing a malicious actor to send a Pull Request that uploads a malicious package.json file with a script to run arbitrary code in the context of the privileged workflow. The docker-test-cont.yml workflow collects information about the Pull Request and sets labels depending on the PR body and sender. If the PR contains a routes markdown block, it sets the TEST CONTINUE environment variable to true.

Recommendations For RSSHub versions prior to commit 64e00e7, update to a version that includes commit 64e00e7 to fix the underlying issue and prevent a possible repository takeover by malicious actors. As a temporary workaround, consider restricting access to the docker-test-cont.yml workflow to minimize the risk of exploitation. Avoid using the package.json file in the affected workflow until the issue is resolved.