Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description#
Using GitHub context variables (like issue titles or pull request bodies) directly in run: steps allows untrusted user input to be executed as shell commands. This makes it possible for attackers to inject and run malicious code in your CI workflow.
Impact#
If exploited, attackers could steal secrets, modify your codebase, or take control of your CI environment. This could lead to data breaches, code tampering, or unauthorized access to sensitive systems and credentials.