CWE-77
Allowed-with-ReviewImproper Neutralization of Special Elements used in a Command ('Command Injection')
Abstraction: Class · Status: Draft
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
5383 vulnerabilities reference this CWE, most recent first.
GHSA-VWCR-CPGW-P977
Vulnerability from github – Published: 2024-08-27 21:31 – Updated: 2024-08-27 21:31A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
{
"affected": [],
"aliases": [
"CVE-2024-8210"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-27T19:15:18Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.",
"id": "GHSA-vwcr-cpgw-p977",
"modified": "2024-08-27T21:31:14Z",
"published": "2024-08-27T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8210"
},
{
"type": "WEB",
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.275919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.275919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.397274"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VWQH-MHGJ-P4M8
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2023-07-07 21:30Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command injection attack resulting in remote code execution or cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-34735"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T20:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command injection attack resulting in remote code execution or cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-vwqh-mhgj-p4m8",
"modified": "2023-07-07T21:30:15Z",
"published": "2022-05-24T19:16:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34735"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multivuln-A4J57F3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWV2-HG2H-447M
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-13 15:30Vulnerability in the CLI of Cisco Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary commands. These vulnerability is due to improper input validation in the CLI. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials.
{
"affected": [],
"aliases": [
"CVE-2023-20075"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the CLI of Cisco Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary commands. These vulnerability is due to improper input validation in the CLI. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials.",
"id": "GHSA-vwv2-hg2h-447m",
"modified": "2023-03-13T15:30:19Z",
"published": "2023-03-01T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20075"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-privesc-9DVkFpJ8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWWM-G3PW-3Q86
Vulnerability from github – Published: 2023-05-23 03:30 – Updated: 2024-04-04 04:17There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ssid, wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.
{
"affected": [],
"aliases": [
"CVE-2023-31741"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T01:15:10Z",
"severity": "HIGH"
},
"details": "There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ssid, wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.",
"id": "GHSA-vwwm-g3pw-3q86",
"modified": "2024-04-04T04:17:24Z",
"published": "2023-05-23T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31741"
},
{
"type": "WEB",
"url": "https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31741/Linksys_E2000_RCE_2.pdf"
},
{
"type": "WEB",
"url": "http://linksys.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VX24-X4MV-VWR5
Vulnerability from github – Published: 2024-07-26 21:24 – Updated: 2025-12-22 16:31Description
Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.
PoC
Have some custom command which prints out information from a potentially untrusted/unverified source.
[custom.git_commit_name]
command = 'git show -s --format="%<(25,mtrunc)%s"'
style = "italic"
when = true
Impact
This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.19.0"
},
"package": {
"ecosystem": "crates.io",
"name": "starship"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41815"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-26T21:24:18Z",
"nvd_published_at": "2024-07-26T21:15:14Z",
"severity": "HIGH"
},
"details": "## Description \nStarship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.\n\n### PoC\nHave some custom command which prints out information from a potentially untrusted/unverified source.\n```\n[custom.git_commit_name]\ncommand = \u0027git show -s --format=\"%\u003c(25,mtrunc)%s\"\u0027\nstyle = \"italic\"\nwhen = true\n```\n\n### Impact\nThis issue only affects users with custom commands, so the scope is limited, and without knowledge of others\u0027 commands, it could be hard to successfully target someone.",
"id": "GHSA-vx24-x4mv-vwr5",
"modified": "2025-12-22T16:31:41Z",
"published": "2024-07-26T21:24:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41815"
},
{
"type": "WEB",
"url": "https://github.com/starship/starship/commit/cfc58161e0ec595db90af686ad77a73df6d44d74"
},
{
"type": "PACKAGE",
"url": "https://github.com/starship/starship"
},
{
"type": "WEB",
"url": "https://github.com/starship/starship/releases/tag/v1.20.0"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0446.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands"
}
GHSA-VX2X-8VVG-M4R6
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
{
"affected": [],
"aliases": [
"CVE-2016-10329"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-12T20:29:00Z",
"severity": "CRITICAL"
},
"details": "Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted \u0027X-Forwarded-For\u0027 header.",
"id": "GHSA-vx2x-8vvg-m4r6",
"modified": "2022-05-13T01:38:51Z",
"published": "2022-05-13T01:38:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10329"
},
{
"type": "WEB",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"type": "WEB",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VX48-JG76-PQ22
Vulnerability from github – Published: 2023-08-17 00:30 – Updated: 2024-01-25 18:30Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities.
These vulnerabilities are due to insufficient input validation when extracting uploaded software packages. An attacker could exploit these vulnerabilities by authenticating to an affected device and uploading a crafted software package. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.
{
"affected": [],
"aliases": [
"CVE-2023-20013"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-16T22:15:09Z",
"severity": "CRITICAL"
},
"details": "Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities.\n\n These vulnerabilities are due to insufficient input validation when extracting uploaded software packages. An attacker could exploit these vulnerabilities by authenticating to an affected device and uploading a crafted software package. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.",
"id": "GHSA-vx48-jg76-pq22",
"modified": "2024-01-25T18:30:38Z",
"published": "2023-08-17T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20013"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ivpa-cmdinj-C5XRbbOy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VX4H-FXV4-24PQ
Vulnerability from github – Published: 2024-03-28 21:30 – Updated: 2024-03-28 21:30Dell vApp Manager, versions prior to 9.2.4.9 contain a Command Injection Vulnerability. An authorized attacker could potentially exploit this vulnerability leading to an execution of an inserted command. Dell recommends customers to upgrade at the earliest opportunity.
{
"affected": [],
"aliases": [
"CVE-2024-25946"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-28T19:15:47Z",
"severity": "HIGH"
},
"details": "Dell vApp Manager, versions prior to 9.2.4.9 contain a Command Injection Vulnerability. An authorized attacker could potentially exploit this vulnerability leading to an execution of an inserted command. Dell recommends customers to upgrade at the earliest opportunity.",
"id": "GHSA-vx4h-fxv4-24pq",
"modified": "2024-03-28T21:30:30Z",
"published": "2024-03-28T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25946"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000223609/dsa-2024-108-dell-powermaxos-5978-dell-powermax-os-10-0-1-5-dell-powermax-os-10-1-0-2-dell-unisphere-360-unisphere-powermax-unisphere-powermax-vapp-dell-solutions-enabler-vapp-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXC7-J724-6QRX
Vulnerability from github – Published: 2025-08-11 06:30 – Updated: 2025-08-11 06:30A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function um_red of the file /goform/RP_setBasicAuto. The manipulation of the argument hname leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-8829"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T04:15:46Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function um_red of the file /goform/RP_setBasicAuto. The manipulation of the argument hname leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vxc7-j724-6qrx",
"modified": "2025-08-11T06:30:31Z",
"published": "2025-08-11T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8829"
},
{
"type": "WEB",
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys1/vuln_45/45.md"
},
{
"type": "WEB",
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys1/vuln_45/45.md#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.319363"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.319363"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.626694"
},
{
"type": "WEB",
"url": "https://www.linksys.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VXMW-7H4F-HQXH
Vulnerability from github – Published: 2025-09-04 14:07 – Updated: 2025-09-04 14:07Summary
gh-action-pypi-publish makes use of GitHub Actions expression expansions (i.e. ${{ ... }}) in contexts that are potentially attacker controllable. Depending on the trigger used to invoke gh-action-pypi-publish, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokes gh-action-pypi-publish.
Details
gh-action-pypi-publish contains a composite action step, set-repo-and-ref, that makes use of expression expansions:
- name: Set repo and ref from which to run Docker container action
id: set-repo-and-ref
run: |
# Set repo and ref from which to run Docker container action
# to handle cases in which `github.action_` context is not set
# https://github.com/actions/runner/issues/2473
REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}
REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}
REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}
echo "ref=$REF" >>"$GITHUB_OUTPUT"
echo "repo=$REPO" >>"$GITHUB_OUTPUT"
echo "repo-id=$REPO_ID" >>"$GITHUB_OUTPUT"
shell: bash
env:
ACTION_REF: ${{ github.action_ref }}
ACTION_REPO: ${{ github.action_repository }}
PR_REF: ${{ github.event.pull_request.head.ref }}
PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}
Permalink: https://github.com/pypa/gh-action-pypi-publish/blob/db8f07d3871a0a180efa06b95d467625c19d5d5f/action.yml#L114-L125
In normal intended operation, these expansions are used to establish a correct priority for outputs like ref and repo-id.
However, these expansions have a side effect: because they're done with ${{ ... }} and not with ${...} (i.e. normal shell interpolation), they can bypass normal shell quoting rules. In particular, if both env.ACTION_REF and env.PR_REF evaluate to empty strings, then the expression falls back to github.ref_name, which can be an attacker controlled string via a branch or tag name.
For example, if the attacker is able to set a branch name to something like innocent;cat${IFS}/etc/passwd, then the REF line may expand as:
REF=innocent;cat${IFS}/etc/passwd
which would set REF to innocent and then run the attacker's code.
Additional information about dangerous expansions can be found in zizmor's template-injection rule documentation.
Impact
The impact of this vulnerability is very low: the expression in question is unlikely to be evaluated in normal operation, since env.ACTION_REF should always take precedence.
In particular, the action is not vulnerable in many popular configurations, i.e. those where pull_request or release or a push: tags event is used to call the action.
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "pypa/gh-action-pypi-publish"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-04T14:07:03Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\n`gh-action-pypi-publish` makes use of GitHub Actions expression expansions (i.e. `${{ ... }}`) in contexts that are potentially attacker controllable. Depending on the trigger used to invoke `gh-action-pypi-publish`, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokes `gh-action-pypi-publish`.\n\n### Details\n\n`gh-action-pypi-publish` contains a composite action step, `set-repo-and-ref`, that makes use of expression expansions:\n\n```yaml\n - name: Set repo and ref from which to run Docker container action\n id: set-repo-and-ref\n run: |\n # Set repo and ref from which to run Docker container action\n # to handle cases in which `github.action_` context is not set\n # https://github.com/actions/runner/issues/2473\n REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}\n REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}\n REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}\n echo \"ref=$REF\" \u003e\u003e\"$GITHUB_OUTPUT\"\n echo \"repo=$REPO\" \u003e\u003e\"$GITHUB_OUTPUT\"\n echo \"repo-id=$REPO_ID\" \u003e\u003e\"$GITHUB_OUTPUT\"\n shell: bash\n env:\n ACTION_REF: ${{ github.action_ref }}\n ACTION_REPO: ${{ github.action_repository }}\n PR_REF: ${{ github.event.pull_request.head.ref }}\n PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}\n PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}\n```\n\nPermalink: https://github.com/pypa/gh-action-pypi-publish/blob/db8f07d3871a0a180efa06b95d467625c19d5d5f/action.yml#L114-L125\n\nIn normal intended operation, these expansions are used to establish a correct priority for outputs like `ref` and `repo-id`. \n\nHowever, these expansions have a side effect: because they\u0027re done with `${{ ... }}` and not with `${...}` (i.e. normal shell interpolation), they can *bypass normal shell quoting rules*. In particular, if both `env.ACTION_REF` and `env.PR_REF` evaluate to empty strings, then the expression falls back to `github.ref_name`, which can be an attacker controlled string via a branch or tag name. \n\nFor example, if the attacker is able to set a branch name to something like `innocent;cat${IFS}/etc/passwd`, then the `REF` line may expand as:\n\n```bash\nREF=innocent;cat${IFS}/etc/passwd\n```\n\nwhich would set `REF` to `innocent` and then run the attacker\u0027s code.\n\nAdditional information about dangerous expansions can be found in [zizmor\u0027s `template-injection` rule documentation](https://woodruffw.github.io/zizmor/audits/#template-injection).\n\n### Impact\n\nThe impact of this vulnerability is very low: the expression in question is unlikely to be evaluated in normal operation, since `env.ACTION_REF` should always take precedence.\n\nIn particular, the action is **not** vulnerable in many popular configurations, i.e. those where `pull_request` or `release` or a `push: tags` event is used to call the action.",
"id": "GHSA-vxmw-7h4f-hqxh",
"modified": "2025-09-04T14:07:03Z",
"published": "2025-09-04T14:07:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pypa/gh-action-pypi-publish/security/advisories/GHSA-vxmw-7h4f-hqxh"
},
{
"type": "WEB",
"url": "https://github.com/pypa/gh-action-pypi-publish/commit/77db1b7cf7dcea2e403bb4350516284282740dd6"
},
{
"type": "PACKAGE",
"url": "https://github.com/pypa/gh-action-pypi-publish"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps"
}
Mitigation
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Mitigation
If possible, ensure that all external commands called from the program are statically created.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
Mitigation
Assign permissions that prevent the user from accessing/opening privileged files.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-183: IMAP/SMTP Command Injection
An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
CAPEC-248: Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.