CVE-2025-54416
BaseFortify
Publication date: 2025-07-26
Last updated on: 2025-07-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | tj-actions_branch-names | 9.0.0 |
| github | tj-actions_branch-names | 8.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54416 is a critical command injection vulnerability in the GitHub Action workflow tj-actions/branch-names (versions 8.2.1 and below). It occurs because the action uses unsafe output handling by employing `eval printf` combined with `echo` to write branch and tag names to the GitHub Actions output file. This unsafe pattern effectively unescapes sanitized inputs, allowing specially crafted branch or tag names containing shell commands to be executed in downstream workflows that consume these outputs. The vulnerability arises from inconsistent input sanitization and unescaped output, enabling attackers to execute arbitrary commands with the privileges of the GitHub Actions runner. The issue is fixed in version 9.0.0 by replacing the unsafe output method with a safer `printf` usage that prevents command injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary commands in downstream GitHub workflows that consume outputs from the vulnerable action. Exploitation can lead to theft of repository secrets, unauthorized write access to the repository, and compromise of repository integrity and security. Since the commands run with the privileges of the GitHub Actions runner, the impact is severe and can affect confidentiality, integrity, and availability of the repository and its workflows. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your GitHub workflows use the vulnerable versions (8.2.1 and below) of the tj-actions/branch-names action. Specifically, look for usage of the unsafe pattern involving `eval printf "%s"` in the workflow logs or action code. A practical detection method is to search your workflow files for the vulnerable action version or the unsafe code pattern. For example, you can run commands like `grep -r 'tj-actions/branch-names@' .github/workflows/` to find the action version in your workflows. Additionally, inspecting workflow logs for suspicious branch names containing shell command patterns (e.g., `$(` or `|`) may indicate exploitation attempts. There are no direct commands provided to detect the vulnerability on the network or system, but reviewing workflow configurations and logs for the unsafe usage is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the tj-actions/branch-names GitHub Action to version 9.0.0 or later, where the vulnerability is fixed by replacing unsafe `eval printf` usage with safe `printf` calls that do not allow command injection. If updating is not immediately possible, review and modify your workflows to remove or replace the vulnerable action usage. The fix involves changing code from using `echo "variable= $(eval printf ...)"` to `printf "variable=%s\n" "$VALUE"` to prevent unsafe command evaluation. Additionally, avoid using branch or tag names that contain special shell characters until the action is updated. [1, 2]