Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27701 is a high-severity JavaScript injection vulnerability in the GitHub Actions workflow named 'i18n-update-pull' of the live-codes/livecodes repository."}, {'type': 'paragraph', 'content': "The vulnerability occurs because the workflow directly interpolates the Pull Request (PR) title, which is attacker-controlled, into a JavaScript template literal within an 'actions/github-script@v7' step without proper sanitization."}, {'type': 'paragraph', 'content': 'This improper interpolation allows an attacker who opens a PR with a maliciously crafted title to inject arbitrary JavaScript code that executes with the privileges of the CI bot token.'}, {'type': 'paragraph', 'content': 'The injected code can then exfiltrate repository secrets and perform unauthorized GitHub API operations.'}, {'type': 'paragraph', 'content': 'The issue was fixed by changing the workflow to pass the PR title as an environment variable and accessing it safely in JavaScript, preventing code injection.'}] [2, 1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts on confidentiality and integrity within the affected repository.

• Confidentiality Impact: An attacker can exfiltrate sensitive environment variables and secrets accessible to the GitHub Actions runner, such as API tokens.
• Integrity Impact: The attacker can perform arbitrary GitHub API operations authenticated as the CI bot, including creating pull requests, posting comments, adding reactions, and modifying issues.
• Availability Impact: There is no direct impact on availability.

Overall, the attacker gains the ability to compromise repository secrets and manipulate repository data through unauthorized API actions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the GitHub Actions workflow file `.github/workflows/i18n-update-pull.yml` in the live-codes/livecodes repository to see if it contains unsafe interpolation of the Pull Request title directly into JavaScript template literals.'}, {'type': 'paragraph', 'content': 'Specifically, look for usage of `${{ github.event.issue.title }}` directly inside an `actions/github-script` JavaScript block, which indicates the vulnerable pattern.'}, {'type': 'paragraph', 'content': 'You can check the workflow file for the vulnerable code pattern by running commands such as:'}, {'type': 'list_item', 'content': 'git clone https://github.com/live-codes/livecodes.git'}, {'type': 'list_item', 'content': "grep -A 5 'github.event.issue.title' .github/workflows/i18n-update-pull.yml"}, {'type': 'paragraph', 'content': 'If the workflow uses the pattern `i18n: ${{ github.event.issue.title }}` inside a script block, it is vulnerable. The fixed version uses an environment variable like `ISSUE_TITLE` and accesses it via `process.env.ISSUE_TITLE` in JavaScript.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update the `.github/workflows/i18n-update-pull.yml` workflow to avoid direct interpolation of the Pull Request title into JavaScript template literals.

Instead, pass the PR title as an environment variable and access it in the JavaScript code via `process.env`.

Specifically, apply the fix introduced in commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, which includes:

• Adding an environment variable `ISSUE_TITLE` set to `${{ github.event.issue.title }}`.
• Modifying the script to use `i18n: ${process.env.ISSUE_TITLE}` instead of `i18n: ${{ github.event.issue.title }}`.

Additionally, restrict who can trigger the workflow by controlling collaborator comments and monitor for suspicious PR titles.

Useful 0 Not Useful 0