Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31900 is a vulnerability in the GitHub Action for the Python code formatter Black. When the action is configured with the option use_pyproject: true, it reads the Black version from the repository's pyproject.toml file. A malicious pull request can exploit this by modifying pyproject.toml to specify a direct URL to a malicious repository."}, {'type': 'paragraph', 'content': "This allows arbitrary code execution within the context of the GitHub Action, meaning attackers could run malicious code during the action's runtime."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the version parsing logic did not properly restrict the format of the version specification, allowing unsafe inputs like direct URLs.'}, {'type': 'paragraph', 'content': 'Version 26.3.0 fixes this by enforcing stricter validation of the version string, only allowing standard version specifiers and rejecting direct URL references.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary code execution within the GitHub Action environment.

Attackers exploiting this can gain access to secrets and permissions available to the action, potentially compromising sensitive data or systems.

Since GitHub Actions often have access to repository secrets and tokens, this could lead to unauthorized access or further attacks on the repository or connected infrastructure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if your GitHub Action workflow for Black uses the option `use_pyproject: true` and if the Black version is being read from the repository's pyproject.toml file."}, {'type': 'paragraph', 'content': 'You should inspect the pyproject.toml file in your repository for any direct URL references to Black versions, which are disallowed and indicate the vulnerability.'}, {'type': 'paragraph', 'content': 'A practical approach is to search your workflow files for the use of `use_pyproject: true` and then check the pyproject.toml for suspicious version specifications.'}, {'type': 'list_item', 'content': "Use grep or similar commands to find `use_pyproject` usage in your GitHub workflows: `grep -r 'use_pyproject: true' .github/workflows/`"}, {'type': 'list_item', 'content': "Check the pyproject.toml for version specifications that include URLs or non-standard formats: `grep -E 'black.*@|black.*https?://' pyproject.toml`"}, {'type': 'paragraph', 'content': 'If such patterns are found, it indicates the presence of the vulnerability or an attempt to exploit it.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the Black GitHub Action to version 26.3.0 or later, as this version includes a fix that enforces stricter validation of the Black version specification.

If upgrading immediately is not possible, avoid using the `use_pyproject: true` option in your GitHub Action workflows to prevent reading potentially malicious version specifications from pyproject.toml.

Alternatively, explicitly set the Black version using the `with.version` parameter in your workflow instead of relying on the pyproject.toml file.

Ensure that your workflows use `psf/black@stable` to automatically receive the security fix.

Useful 0 Not Useful 0