CVE-2023-27581
github-slug-action vulnerable to arbitrary code execution
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-04 CVE Reserved
- 2023-03-13 CVE Published
- 2025-02-25 CVE Updated
- 2025-02-25 First Exploit
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://securitylab.github.com/research/github-actions-untrusted-input | 2025-02-25 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94 | 2023-03-17 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w | 2023-03-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Github-slug-action Project Search vendor "Github-slug-action Project" | Github-slug-action Search vendor "Github-slug-action Project" for product "Github-slug-action" | >= 4.0.0 < 4.4.1 Search vendor "Github-slug-action Project" for product "Github-slug-action" and version " >= 4.0.0 < 4.4.1" | - |
Affected
| ||||||