Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

The vulnerability lies within the update-integration-tests.yml workflow included in repositories created using the vulnerable JupyterLab extension template. An attacker who can influence the contents of this file, for example, through a malicious pull request or by compromising a developer's account, could inject arbitrary commands into the workflow. Successful exploitation could lead to complete system compromise, allowing the attacker to execute code with the privileges of the GitHub Actions runner. The blast radius extends to any environment utilizing extensions built with this vulnerable template, particularly those leveraging GitHub Actions for continuous integration and deployment.

Developers and organizations using the JupyterLab extension template to create new extensions are at immediate risk. Specifically, teams relying on GitHub Actions for continuous integration and deployment are particularly vulnerable, as the workflow is the direct attack vector. Shared hosting environments where multiple developers contribute to the same repository are also at increased risk.

• python: Examine GitHub Actions workflows (.github/workflows/update-integration-tests.yml) for suspicious commands or scripts.

- name: Check for malicious commands
  run: grep -ri 'curl|wget|powershell' .github/workflows/

• generic web: Monitor GitHub repositories using the vulnerable template for unusual activity or unexpected code changes within the update-integration-tests.yml file. • supply-chain: Review dependencies and pull requests in JupyterLab extension projects for potential malicious contributions to the update-integration-tests.yml workflow.

1. 2024-07-16Disclosure

   Public Disclosure

1. 予約済み2024-06-27
2. 公開日2024-07-16
3. 更新日2024-08-16
4. EPSS 更新日2026-04-02

The primary mitigation is to upgrade the JupyterLab extension template to version 4.3.3 or later. If an immediate upgrade is not feasible, temporarily disabling GitHub Actions while working on the upgrade is recommended. For users who have modified the update-integration-tests.yml file, carefully review and sanitize any changes to prevent malicious code injection. Rebasing open pull requests from untrusted users is also a crucial step to ensure no malicious code is introduced during the upgrade process. After upgrading, confirm the absence of the vulnerable workflow by inspecting the repository’s GitHub Actions configuration.