GitHub Actions, Command Injection, GHSA-r4fj-r33x-8v88 (Critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in a GitHub Actions workflow that triggers on `issue_comment` events. Attackers can post any comment on an issue in the repository. The workflow extracts data from `github.event.comment.body` using a `run` step that directly interpolates the value with `${{ }}` before the shell executes. For example, the step:
`echo identifiers=$(echo “${{ github.event.comment.body }}” | grep -oE ‘@njzjz-bot .’ | head -n1 | cut -c12- | xargs) >> $GITHUB_OUTPUT`
Because the `${{ github.event.comment.body }}` is expanded by GitHub Actions prior to the shell running, an attacker can inject shell metacharacters. A payload like `@njzjz-bot paper123″ ) ; whoami ; ` breaks out of the intended command substitution and executes arbitrary commands (e.g., whoami). The output appears in workflow logs, confirming execution. The injected value is also later reused in another step with backticks, propagating the unsanitized input. This allows remote code execution on the runner, with potential access to secrets like GITHUB_TOKEN.

DailyCVE Form

Platform: GitHub Actions
Version: Main branch
Vulnerability: Command injection via
Severity: Critical
date: 2026-03-30

Prediction: Patch within 7

What Undercode Say:

Vulnerable step
run: |
echo identifiers=$(echo "${{ github.event.comment.body }}" | grep -oE '@njzjz-bot .' | head -n1 | cut -c12- | xargs) >> $GITHUB_OUTPUT
Fixed step (using environment variable)
- name: Extract identifiers
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
identifiers=$(echo "$COMMENT_BODY" | grep -oE '@njzjz-bot .' | head -n1 | cut -c12- | xargs)
echo "identifiers=$identifiers" >> $GITHUB_OUTPUT

Exploit:

Post an issue comment with:

`@njzjz-bot paper123″ ) ; whoami ; `

Protection from this CVE:

Never interpolate untrusted user input directly into shell commands. Use environment variables to pass context, or employ `$GITHUB_ENV` and script arguments.

Impact:

Remote arbitrary code execution on the GitHub runner; potential theft of repository secrets and unauthorized actions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top