CVE-2025-54430

Name of the Vulnerable Software and Affected Versions dedupe versions prior to commit 3f61e79

Description dedupe is a Python library used for fuzzy matching, deduplication, and entity resolution on structured data. A critical severity issue exists in the .github/workflows/benchmark-bot.yml workflow, triggered by an issue comment with the @benchmark body. This workflow checks out the branch of a pull request (PR) manipulated by potentially malicious actors, leading to the execution of untrusted code. This could result in the exfiltration of the GITHUB TOKEN, which has write permissions, potentially leading to repository takeover.

Recommendations Update to commit 3f61e79 or later to resolve this issue.