CVE-2025-55192

Name of the Vulnerable Software and Affected Versions: HomeAssistant-Tapo-Control versions prior to commit 2a3b80f

Description: HomeAssistant-Tapo-Control, a component offering control for Tapo cameras within Home Assistant, contained a code injection vulnerability in the GitHub Actions workflow located at .github/workflows/issues.yml. The vulnerability stemmed from the direct insertion of user-controlled content from the issue body (github.event.issue.body) into a Bash conditional without adequate sanitization. This allowed a malicious GitHub user to craft an issue body capable of executing arbitrary commands on the GitHub Actions runner with elevated privileges upon issue creation. The impact is limited to the repository’s CI/CD environment, potentially exposing repository contents or GitHub Actions secrets.

Recommendations: Disable the affected workflow (issues.yml). Replace the unsafe Bash comparison with a safe quoted grep or a pure GitHub Actions expression check. Ensure minimal permissions in workflows (permissions: block) to reduce potential impact.