वाइल्डरफोर्ज (WilderForge) कोड इंजेक्शन (Code Injection) के प्रति संवेदनशील, GitHub Actions वर्कफ़्लो के माध्यम से

The impact of CVE-2025-49013 is severe due to the potential for arbitrary command execution. An attacker successfully submitting a malicious pull request review could gain complete control over the GitHub Actions runner environment. This could involve stealing sensitive credentials stored on the runner, modifying project files, deploying malicious code, or even pivoting to other systems accessible from the runner. The blast radius extends to any data processed or stored by the affected GitHub Actions workflows, potentially impacting the entire Wildermyth project and its users. This vulnerability shares similarities with other code injection flaws where user input is directly incorporated into shell commands without proper sanitization.

1. आरक्षित2025-05-29
2. प्रकाशित2025-06-09
3. EPSS अद्यतन2026-03-23

The primary mitigation for CVE-2025-49013 is to immediately upgrade to version 36.0.1 or later of the Autosplitter component. Prior to upgrading, assess the potential impact on existing workflows and consider a staged rollout to minimize disruption. If an immediate upgrade is not feasible, implement stricter input validation on all user-controlled variables used within GitHub Actions workflows. Specifically, sanitize or escape any input that might contain shell metacharacters. Consider using parameterized workflows or alternative methods to avoid direct shell command execution with user-provided data. After upgrading, confirm the fix by attempting to submit a pull request review containing shell metacharacters and verifying that the workflow does not execute arbitrary code.