GHSA-vxmw-7h4f-hqxh

Suggest an improvement
Source
https://github.com/advisories/GHSA-vxmw-7h4f-hqxh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vxmw-7h4f-hqxh/GHSA-vxmw-7h4f-hqxh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vxmw-7h4f-hqxh
Published
2025-09-04T14:07:03Z
Modified
2025-09-04T14:07:03Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
Summary
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
Details

Summary

gh-action-pypi-publish makes use of GitHub Actions expression expansions (i.e. ${{ ... }}) in contexts that are potentially attacker controllable. Depending on the trigger used to invoke gh-action-pypi-publish, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokes gh-action-pypi-publish.

Details

gh-action-pypi-publish contains a composite action step, set-repo-and-ref, that makes use of expression expansions:

  - name: Set repo and ref from which to run Docker container action
    id: set-repo-and-ref
    run: |
      # Set repo and ref from which to run Docker container action
      # to handle cases in which `github.action_` context is not set
      # https://github.com/actions/runner/issues/2473
      REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}
      REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}
      REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}
      echo "ref=$REF" >>"$GITHUB_OUTPUT"
      echo "repo=$REPO" >>"$GITHUB_OUTPUT"
      echo "repo-id=$REPO_ID" >>"$GITHUB_OUTPUT"
    shell: bash
    env:
      ACTION_REF: ${{ github.action_ref }}
      ACTION_REPO: ${{ github.action_repository }}
      PR_REF: ${{ github.event.pull_request.head.ref }}
      PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
      PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}

Permalink: https://github.com/pypa/gh-action-pypi-publish/blob/db8f07d3871a0a180efa06b95d467625c19d5d5f/action.yml#L114-L125

In normal intended operation, these expansions are used to establish a correct priority for outputs like ref and repo-id.

However, these expansions have a side effect: because they're done with ${{ ... }} and not with ${...} (i.e. normal shell interpolation), they can bypass normal shell quoting rules. In particular, if both env.ACTION_REF and env.PR_REF evaluate to empty strings, then the expression falls back to github.ref_name, which can be an attacker controlled string via a branch or tag name.

For example, if the attacker is able to set a branch name to something like innocent;cat${IFS}/etc/passwd, then the REF line may expand as:

REF=innocent;cat${IFS}/etc/passwd

which would set REF to innocent and then run the attacker's code.

Additional information about dangerous expansions can be found in zizmor's <code>template-injection</code> rule documentation.

Impact

The impact of this vulnerability is very low: the expression in question is unlikely to be evaluated in normal operation, since env.ACTION_REF should always take precedence.

In particular, the action is not vulnerable in many popular configurations, i.e. those where pull_request or release or a push: tags event is used to call the action.

Database specific 
{
    "nvd_published_at": null,
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-04T14:07:03Z",
    "cwe_ids": [
        "CWE-77"
    ]
}
References

Affected packages

GitHub Actions / pypa/gh-action-pypi-publish

Package

Name
pypa/gh-action-pypi-publish

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.0