CVE-2025-55192
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-09-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homeassistant | tapo_control | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a code injection issue in the GitHub Actions workflow of the HomeAssistant-Tapo-Control repository. Specifically, the workflow directly inserts user-controlled content from the issue body into a Bash conditional without proper sanitization. A malicious GitHub user could craft an issue body that executes arbitrary commands on the GitHub Actions runner with privileged access whenever an issue is opened. It only affects the CI/CD environment of the repository, not the Home Assistant integration itself.
How can this vulnerability impact me? :
The impact is limited to the repository's CI/CD environment. An attacker exploiting this vulnerability could execute arbitrary commands on the GitHub Actions runner, potentially gaining access to repository contents or GitHub Actions secrets. This could lead to unauthorized access or manipulation of the repository's code or secrets used in workflows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the GitHub Actions workflow file .github/workflows/issues.yml in the repository and is related to unsafe handling of user input in the workflow. Detection involves reviewing the workflow file for unsafe Bash conditionals that directly insert user-controlled content without sanitization. Specifically, look for usage of github.event.issue.body in Bash conditionals without proper quoting or sanitization. Since it only impacts the GitHub Actions environment and not the deployed system or network, network detection commands are not applicable. To detect the vulnerability, inspect the workflow file for unsafe code patterns or check if the workflow has been updated past commit 2a3b80f which patched the issue.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the affected GitHub Actions workflow file (.github/workflows/issues.yml), replacing the unsafe Bash conditional that uses user input with a safe quoted grep or a pure GitHub Actions expression check, and ensuring minimal permissions in workflows by setting permissions: block to reduce possible impact. Applying the patch from commit 2a3b80f that fixes the code injection vulnerability is also essential.