CVE-2025-54430
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-30

Last updated on: 2025-07-31

Assigner: GitHub, Inc.

Description
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issue_comment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed. Running untrusted code may lead to the exfiltration of GITHUB_TOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover. This is fixed by commit 3f61e79.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-30
Last Modified
2025-07-31
Generated
2026-05-06
AI Q&A
2025-07-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54430
EUVD
EUVD-2025-23165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dedupeio dedupe *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the dedupe python library's GitHub workflow file .github/workflows/benchmark-bot.yml before commit 3f61e79. The workflow can be triggered by an issue_comment containing '@benchmark'. It improperly checks out a branch based on the issue number, which can be manipulated by malicious actors to execute untrusted code. This untrusted code execution can lead to the exfiltration of the GITHUB_TOKEN, which has write permissions on many scopes including repository contents, potentially allowing an attacker to take over the repository.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to execute arbitrary code within the GitHub workflow environment and steal the GITHUB_TOKEN. Since this token has write permissions on the repository, the attacker could modify repository contents, inject malicious code, or take over the repository entirely, leading to significant security risks including code integrity compromise and unauthorized access.


What immediate steps should I take to mitigate this vulnerability?

Update the dedupe repository to include the fix from commit 3f61e79 which corrects the .github/workflows/benchmark-bot.yml workflow to prevent execution of untrusted code. Specifically, ensure that the workflow no longer checks out the branch corresponding to the issue number, which can be manipulated by attackers. This will prevent potential exfiltration of the GITHUB_TOKEN and repository takeover.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart