CVE-2025-61584
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-10-02

Assigner: GitHub, Inc.

Description
serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the github.event.pull_request.head.repo.clone_url and github.head_ref, to a command in the runner. Due to the action using the pull_request_target trigger it has permissive permissions by default. An unauthorized attacker can exploit this vulnerability to push arbitrary data to the repository. The subsequent impact on the end-user is executing the attackers' code when running serverless-dns. This is fixed in commit c5537dd, and expected to be released in 0.1.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-10-02
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61584
EUVD
EUVD-2025-31664
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
serverless-dns serverless-dns 0.1.30
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61584 is a high-severity command injection vulnerability in the serverless-dns project's GitHub Action workflow (pr.yml). The vulnerability occurs because untrusted inputs from GitHub events, specifically github.event.pull_request.head.repo.clone_url and github.head_ref, are interpolated unsafely directly into commands executed by the GitHub Actions runner. The workflow uses the pull_request_target trigger, which runs with permissive permissions, allowing an unauthorized attacker to exploit this by pushing arbitrary data to the repository. This can lead to execution of attacker-controlled code when serverless-dns runs. The root cause is improper environment variable interpolation syntax, which fails to safely handle untrusted inputs. [1]

Impact Analysis

This vulnerability can allow an unauthorized attacker to push arbitrary data to the serverless-dns repository via the GitHub Actions workflow. As a result, the attacker can execute malicious code when serverless-dns runs, potentially compromising the system or environment where serverless-dns is deployed. This could lead to unauthorized code execution, data manipulation, or other security breaches. [1]

Detection Guidance

This vulnerability can be detected by reviewing the GitHub Actions workflow file `.github/workflows/pr.yml` in your serverless-dns repository. Specifically, check if the workflow uses the `pull_request_target` trigger and if it interpolates untrusted inputs such as `github.event.pull_request.head.repo.clone_url` and `github.head_ref` directly into commands without using intermediate environment variables. There are no specific network or system commands provided to detect exploitation. Instead, manual inspection of the workflow file for unsafe interpolation patterns like `${{ env.VARIABLE }}` used directly in shell commands is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include updating the GitHub Actions workflow `.github/workflows/pr.yml` to follow GitHub's security hardening guidelines by assigning untrusted inputs to intermediate environment variables before using them in commands. Specifically, replace direct interpolation of variables like `${{ env.PR_HEAD_REF }}` in `git push` commands with environment variables such as `$PR_REF` that are set to `${{ env.PR_HEAD_REF }}`. This reduces the risk of command injection. Additionally, monitor for the release of version 0.1.31 or later of serverless-dns which includes the official patch (commit c5537dd). [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart