CVE-2025-47271

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions OZI action versions 1.13.2 through 1.13.5

Description The OZI action, a GitHub Action for publishing releases to PyPI, has a flaw where potentially untrusted data flows into PR creation logic. This allows a malicious actor to construct a branch name that injects arbitrary code.

Recommendations For versions 1.13.2 through 1.13.5, update to version 1.13.6 to resolve the issue. As a temporary workaround for versions 1.13.2 through 1.13.5, consider downgrading to a version prior to 1.13.2.

Exploit

Fix

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95CWE-1116

Related Identifiers

CVE-2025-47271

GHSA-2487-9F55-2VG9

Affected Products

Ozi Action

CVE-2025-47271

Weakness Enumeration

Related Identifiers

Affected Products

References · 12