CVE-2025-54416

Name of the Vulnerable Software and Affected Versions tj-actions/branch-names versions 8.2.1 and below

Description A critical command injection vulnerability exists in the tj-actions/branch-names GitHub Action workflow. This flaw is due to inconsistent input sanitization and unescaped output, allowing malicious actors to execute arbitrary commands through specially crafted branch or tag names. The vulnerability stems from the unsafe use of the eval printf "%s" pattern within the action's codebase, which reintroduces command injection risks after initial sanitization. This can lead to the theft of sensitive secrets, unauthorized write access, and compromise of repository integrity. Over 5,000 public repositories are potentially affected.

Recommendations Update to version 9.0.0 to address this vulnerability.