CVE-2025-49013

Name of the Vulnerable Software and Affected Versions WilderForge (affected versions not specified)

Description A critical issue has been identified in the WilderForge organization, stemming from the unsafe use of user-controlled variables, such as ${{ github.event.review.body }}, directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection issue, allowing a malicious actor to execute arbitrary shell code on the GitHub Actions runner by submitting a crafted pull request review. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. The issue affects developers who maintain or contribute to specific WilderForge repositories, as well as users who fork these repositories and reuse affected GitHub Actions workflows. End users of the software and users who only install pre-built releases or artifacts are not affected.

Recommendations As a temporary workaround, consider disabling GitHub Actions in affected repositories or removing the affected workflows. Restrict access to the vulnerable GitHub Actions workflows to minimize the risk of exploitation. Avoid using the github.event.review.body variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.