CVE-2025-61584

Name of the Vulnerable Software and Affected Versions serverless-dns versions through 0.1.30

Description serverless-dns is a RethinkDNS resolver that deploys to various platforms including Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. A flaw exists where the pr.yml GitHub Action interpolates untrusted input, specifically the github.event.pull request.head.repo.clone url and github.head ref variables, into a command executed by the runner. Because the action uses the pull request target trigger, it has permissive permissions by default. An attacker can exploit this to push arbitrary data to the repository, leading to the execution of the attacker's code when running serverless-dns.

Recommendations Update to version 0.1.31 or later.