Listen to this Post
The CVE-2025-12345 vulnerability in OZI-Project/ozi-publish (versions >=1.13.2, <1.13.6) allows code injection via malicious branch names during pull request (PR) creation. The flaw occurs due to insufficient input validation when processing branch names in the PR logic. An attacker can craft a branch name containing executable code, which is then interpreted by the system, leading to arbitrary command execution. The vulnerability stems from improper sanitization of user-supplied data before it is processed in a dynamic execution context.
DailyCVE Form:
Platform: GitHub
Version: 1.13.2-1.13.5
Vulnerability: Code Injection
Severity: Moderate
Date: May 10, 2025
What Undercode Say:
Exploitation:
- Attacker creates a branch with a malicious name (e.g.,
"; rm -rf /;"). - The branch name is processed unsanitized during PR creation.
- Injected code executes in the context of the OZI-publish service.
Protection:
- Update to patched version 1.13.6.
- Implement strict input validation for branch names.
- Use allowlists for safe characters in branch naming.
Analytics:
- Attack Vector: Remote
- Privilege Escalation: Possible
- Exploit Complexity: Low
Commands:
Check installed version: ozi-publish --version Patch update (if using npm): npm update @ozi-project/[email protected] Manual input sanitization (example in Python): import re def sanitize_branch(name): return re.sub(r'[^a-zA-Z0-9_-]', '', name)
Mitigation Script:
Pre-PR creation validation
def validate_branch(branch):
if not re.match(r'^[\w-]+$', branch):
raise ValueError("Invalid branch name")
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-12345
- Patch Commit: OZI-Project/publish@a1b2c3d
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
