SYM_CONF_0021 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description
Directly using ${{ github.* }} variables from the GitHub context in the script: field of actions/github-script can allow untrusted user input to be executed as code. This exposes your workflow to code injection attacks.
Impact
An attacker could inject malicious code into the GitHub Actions runner, potentially stealing secrets, modifying your repository, or accessing sensitive data. This can result in compromised credentials, unauthorized repository changes, and broader security breaches in your CI/CD pipeline.