CVE-2025-53104
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-07-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection issue in the discussion-to-slack.yml GitHub Actions workflow of the gluestack-ui library. Untrusted input from GitHub Discussion fields like title or body was directly inserted into shell commands without proper sanitization. An attacker could craft a malicious discussion title or body containing shell commands (e.g., $(curl ...)) that would be executed on the GitHub Actions runner, potentially allowing arbitrary command execution. The vulnerability was fixed by removing the vulnerable workflow.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary shell commands on the GitHub Actions runner where the workflow is executed. This could lead to unauthorized access, data leakage, or manipulation of the build environment, potentially compromising the security and integrity of the CI/CD pipeline.
What immediate steps should I take to mitigate this vulnerability?
Remove the discussion-to-slack.yml GitHub Actions workflow from your repository or fork, as the vulnerability is due to untrusted discussion fields being interpolated into shell commands in this workflow. This workflow was removed in commit e6b4271, which fixes the issue.