CVE-2025-61584
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| serverless-dns | serverless-dns | 0.1.30 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61584 is a high-severity command injection vulnerability in the serverless-dns project's GitHub Action workflow (pr.yml). The vulnerability occurs because untrusted inputs from GitHub events, specifically github.event.pull_request.head.repo.clone_url and github.head_ref, are interpolated unsafely directly into commands executed by the GitHub Actions runner. The workflow uses the pull_request_target trigger, which runs with permissive permissions, allowing an unauthorized attacker to exploit this by pushing arbitrary data to the repository. This can lead to execution of attacker-controlled code when serverless-dns runs. The root cause is improper environment variable interpolation syntax, which fails to safely handle untrusted inputs. [1]
How can this vulnerability impact me? :
This vulnerability can allow an unauthorized attacker to push arbitrary data to the serverless-dns repository via the GitHub Actions workflow. As a result, the attacker can execute malicious code when serverless-dns runs, potentially compromising the system or environment where serverless-dns is deployed. This could lead to unauthorized code execution, data manipulation, or other security breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the GitHub Actions workflow file `.github/workflows/pr.yml` in your serverless-dns repository. Specifically, check if the workflow uses the `pull_request_target` trigger and if it interpolates untrusted inputs such as `github.event.pull_request.head.repo.clone_url` and `github.head_ref` directly into commands without using intermediate environment variables. There are no specific network or system commands provided to detect exploitation. Instead, manual inspection of the workflow file for unsafe interpolation patterns like `${{ env.VARIABLE }}` used directly in shell commands is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the GitHub Actions workflow `.github/workflows/pr.yml` to follow GitHub's security hardening guidelines by assigning untrusted inputs to intermediate environment variables before using them in commands. Specifically, replace direct interpolation of variables like `${{ env.PR_HEAD_REF }}` in `git push` commands with environment variables such as `$PR_REF` that are set to `${{ env.PR_HEAD_REF }}`. This reduces the risk of command injection. Additionally, monitor for the release of version 0.1.31 or later of serverless-dns which includes the official patch (commit c5537dd). [1, 2]