CVE-2025-53546
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-07-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | actions | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the use of pull_request_target in the GitHub Actions workflow file .github/workflows/auto-fix-lint-format-commit.yml. Attackers can exploit this to execute untrusted code with full access to secrets from the base repository. Specifically, they can exfiltrate the GITHUB_TOKEN, which has high privileges including content write access, allowing them to potentially take over the repository.
How can this vulnerability impact me? :
Exploiting this vulnerability allows attackers to gain full access to the repository's secrets and write privileges via the GITHUB_TOKEN. This can lead to a complete takeover of the repository, unauthorized code changes, data exfiltration, and compromise of the integrity and security of the project.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your repository to include the fix from commit 585c6a591440cd39f92374230ac5d65d7dd23d6a which addresses the issue with using pull_request_target in the .github/workflows/auto-fix-lint-format-commit.yml workflow. Avoid using pull_request_target with untrusted code to prevent execution with full access to secrets. Review and restrict permissions of GITHUB_TOKEN to minimize potential impact.