CVE-2022-35954

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35954

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35954.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-35954

Aliases

GHSA-7r3h-m5j6-3q42

Published

2022-08-13T23:40:09Z

Modified

2025-10-14T14:34:37Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

Delimiter injection vulnerability in @actions/core exportVariable

Details

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

Affected packages

Git /

Affected ranges

Database specific

{
    "unresolved_versions": [
        {
            "type": "",
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "last_affected": "1.9.0"
                }
            ]
        }
    ]
}