Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-ghm2-rq8q-wrhc

GitHub Security Advisory

Potential Actions command injection in output filenames (GHSL-2023-275)

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Summary
The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

### Details
The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution.

This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`.

#### Proof of Concept

1. Submit a pull request to the repository with a new file injecting a command. For example `$(whoami).txt` would be a valid filename.
2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the `List all changed files tracked and untracked files` step.

```yaml
- name: List all changed files tracked and untracked files
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
```

Example output:

```yaml
##[group]Run echo "Changed files: $(whoami).txt"
echo "Changed files: $(whoami).txt"
shell: /usr/bin/bash -e {0}
##[endgroup]
Changed files: runner.txt
```

### Impact
This issue may lead to arbitrary command execution in the GitHub Runner.

### Resolution
- A new `safe_output` input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.

- A safe recommendation of using environment variables to store unsafe outputs.

```yaml
- name: List all changed files tracked and untracked files
env:
CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
run: |
echo "Changed files: $CHANGED_FILES"
```

### Resources

* [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/)
* [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Affected Packages

GitHub Actions tj-actions/verify-changed-files
Affected versions: 0 (fixed in 17)

Related CVEs

CVE-2023-52137

Key Information

GHSA ID
GHSA-ghm2-rq8q-wrhc
Published
January 2, 2024 4:42 PM
Last Modified
January 2, 2024 4:42 PM
CVSS Score
7.5 /10
Primary Ecosystem
GitHub Actions
Primary Package
tj-actions/verify-changed-files
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 3, 2025 6:48 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.