Name of the Vulnerable Software and Affected Versions:

dedupe versions prior to commit 3f61e79

Description:

dedupe is a Python library used for fuzzy matching, deduplication, and entity resolution on structured data. A critical severity issue exists in the `.github/workflows/benchmark-bot.yml` workflow, triggered by an `issue comment` with the `@benchmark` body. This workflow checks out the branch of a pull request (PR) manipulated by potentially malicious actors, leading to the execution of untrusted code. This could result in the exfiltration of the `GITHUB TOKEN`, which has write permissions, potentially leading to repository takeover.

Recommendations:

Update to commit 3f61e79 or later to resolve this issue.