GHSA-pwf7-47c3-mfhx

Suggest an improvement
Source
https://github.com/advisories/GHSA-pwf7-47c3-mfhx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-pwf7-47c3-mfhx/GHSA-pwf7-47c3-mfhx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pwf7-47c3-mfhx
Published
2025-09-29T17:51:19Z
Modified
2025-09-29T17:51:19Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
j178/prek-action vulnerable to arbitrary code injection in composite action
Details

Summary

There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml.

Details

The GitHub Action variables inputs.prek-version, inputs.extra_args, and inputs.extra-args can be used to execute arbitrary code in the context of the action.

PoC

- uses: j178/prek-action@v1.0.5
  with:
    prek-version: $(printenv >> $GITHUB_STEP_SUMMARY && echo "0.2.2")
    extra_args: '&& echo "MY_SECRET with a character is: ${MY_SECRET:0:1}a${MY_SECRET:1}" >> $GITHUB_STEP_SUMMARY && echo ""'
  env:
    MY_SECRET: ${{ secrets.MY_SECRET }}

The previous example will print all the environment variables, and it will expose MY_SECRET environment variable value to the summary of the workflow. An attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Critical, CWE-94

Database specific 
{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-94"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2025-09-29T17:51:19Z"
}
References

Affected packages

GitHub Actions / j178/prek-action

Package

Name
j178/prek-action

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6

Database specific

last_known_affected_version_range

"<= 1.0.5"