Summary

A command injection vulnerability was discovered in the .github/workflows/cherrypick.yaml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner.

Details

By dropping a comment in a PR with the body starting with /cherrypick and then adding commands it's possible to inject malicious code. The injection can be achieve in this part of the workflow.

- name: Extract PR and target branch info
        id: vars
        run: |
          **comment="${{ github.event.comment.body }}"**
          target_branch=$(echo "$comment" | awk '{print $2}')
          pr_number=${{ github.event.issue.number }}

In addition, the GITHUB_TOKEN is set with high permissions:

    permissions:
      contents: write
      pull-requests: write
      issues: write

PoC

To replicate the vulnerability you can drop a comment in a PR with the following:
/cherrypick " && curl .... #

Impact

The impact of this vulnerability is critical due to the high privileges of the GITHUB_TOKEN exfiltrated. An attacker could completely overtake the repository (contents: write) other then create workflows to extracts other secrets from the repository, and create new tags and releases. To prove the impacts we temporarely pushed a new tag poc-v1.1.55 which we removed after 2 minutes.

This could result in:

• Exfiltration of the repository’s GITHUB_TOKEN (with write access),
• Unauthorized changes to repository contents, releases, and workflows,
• Exposure of other repository secrets (e.g., Slack, npm tokens).

Kindly reported by @darryk10 @AlbertoPellitteri