Plateforme
javascript
Composant
wilderforge/wilderforge
Corrigé dans
5.2.2
1.0.1
0.4.3
36.0.1
1.0.2
1.3.2
1.9.2
0.5.2
WilderForge is a Wildermyth coremodding API, and a critical vulnerability has been discovered in multiple projects utilizing it, specifically impacting the Autosplitter component. This vulnerability stems from the unsafe handling of user-controlled variables, particularly within GitHub Actions workflows. Malicious actors can exploit this by crafting pull request reviews containing shell metacharacters, leading to arbitrary code execution on the GitHub Actions runner.
The impact of CVE-2025-49013 is severe due to the potential for arbitrary command execution. An attacker successfully submitting a malicious pull request review could gain complete control over the GitHub Actions runner environment. This could involve stealing sensitive credentials stored on the runner, modifying project files, deploying malicious code, or even pivoting to other systems accessible from the runner. The blast radius extends to any data processed or stored by the affected GitHub Actions workflows, potentially impacting the entire Wildermyth project and its users. This vulnerability shares similarities with other code injection flaws where user input is directly incorporated into shell commands without proper sanitization.
CVE-2025-49013 was published on 2025-06-09. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the widespread use of GitHub Actions. While no active campaigns have been publicly reported as of this writing, the vulnerability's severity warrants immediate attention and proactive mitigation. The vulnerability is not currently listed on KEV or EPSS, but its critical nature suggests it may be added in the future.
Statut de l'Exploit
EPSS
0.50% (percentile 66%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-49013 is to immediately upgrade to version 36.0.1 or later of the Autosplitter component. Prior to upgrading, assess the potential impact on existing workflows and consider a staged rollout to minimize disruption. If an immediate upgrade is not feasible, implement stricter input validation on all user-controlled variables used within GitHub Actions workflows. Specifically, sanitize or escape any input that might contain shell metacharacters. Consider using parameterized workflows or alternative methods to avoid direct shell command execution with user-provided data. After upgrading, confirm the fix by attempting to submit a pull request review containing shell metacharacters and verifying that the workflow does not execute arbitrary code.
Désactivez GitHub Actions dans les dépôts affectés ou supprimez les workflows vulnérables. Assurez-vous de ne pas utiliser directement des variables contrôlées par l'utilisateur, telles que `${{ github.event.review.body }}`, dans des contextes de scripts shell dans les workflows GitHub Actions. Implémentez une validation et un nettoyage des entrées pour prévenir l'injection de code.Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
It's a critical code injection vulnerability in WilderForge Autosplitter, allowing attackers to execute arbitrary commands via malicious pull request reviews within GitHub Actions workflows.
If you're using WilderForge Autosplitter versions prior to 36.0.1, you are potentially affected. Review your project dependencies and workflows immediately.
Upgrade to version 36.0.1 or later of the Autosplitter component. If immediate upgrade isn't possible, implement strict input validation on user-controlled variables in your GitHub Actions workflows.
No active campaigns have been publicly reported yet, but the vulnerability's severity suggests a high likelihood of exploitation. Monitor for any signs of compromise.
Refer to the official WilderForge project documentation and security advisories for detailed information and updates on this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.