Name of the Vulnerable Software and Affected Versions: dawidd6/action-download-artifact versions prior to v6

Description: The issue allows an unprivileged attacker to introduce compromised artifacts into a privileged workflow context by exploiting the default behavior of searching a repository's forks for matching artifacts. This can lead to artifact poisoning, where a malicious executable is retrieved and potentially executed in a privileged context. The vulnerability can be exploited by creating a fork of a public repository, modifying the build process to produce a compromised artifact, and then triggering the build to ensure the compromised artifact is always the latest. The severity of the impact ranges from downstream contamination to direct workflow compromise.

Recommendations: For dawidd6/action-download-artifact versions prior to v6, immediately upgrade to v6 or newer to change the default behavior and avoid searching forks for matching artifacts. For users who cannot upgrade, explicitly set allow forks: false to disable searching forks for artifacts.