プラットフォーム
javascript
コンポーネント
wilderforge/wilderforge
修正版
5.2.2
1.0.1
0.4.3
36.0.1
1.0.2
1.3.2
1.9.2
0.5.2
WilderForge is a Wildermyth coremodding API, and a critical vulnerability has been discovered in multiple projects utilizing it, specifically impacting the Autosplitter component. This vulnerability stems from the unsafe handling of user-controlled variables, particularly within GitHub Actions workflows. Malicious actors can exploit this by crafting pull request reviews containing shell metacharacters, leading to arbitrary code execution on the GitHub Actions runner.
The impact of CVE-2025-49013 is severe due to the potential for arbitrary command execution. An attacker successfully submitting a malicious pull request review could gain complete control over the GitHub Actions runner environment. This could involve stealing sensitive credentials stored on the runner, modifying project files, deploying malicious code, or even pivoting to other systems accessible from the runner. The blast radius extends to any data processed or stored by the affected GitHub Actions workflows, potentially impacting the entire Wildermyth project and its users. This vulnerability shares similarities with other code injection flaws where user input is directly incorporated into shell commands without proper sanitization.
CVE-2025-49013 was published on 2025-06-09. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the widespread use of GitHub Actions. While no active campaigns have been publicly reported as of this writing, the vulnerability's severity warrants immediate attention and proactive mitigation. The vulnerability is not currently listed on KEV or EPSS, but its critical nature suggests it may be added in the future.
エクスプロイト状況
EPSS
0.50% (66% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-49013 is to immediately upgrade to version 36.0.1 or later of the Autosplitter component. Prior to upgrading, assess the potential impact on existing workflows and consider a staged rollout to minimize disruption. If an immediate upgrade is not feasible, implement stricter input validation on all user-controlled variables used within GitHub Actions workflows. Specifically, sanitize or escape any input that might contain shell metacharacters. Consider using parameterized workflows or alternative methods to avoid direct shell command execution with user-provided data. After upgrading, confirm the fix by attempting to submit a pull request review containing shell metacharacters and verifying that the workflow does not execute arbitrary code.
影響を受けるリポジトリでGitHub Actionsを無効にするか、脆弱なワークフローを削除してください。`${{ github.event.review.body }}`のようなユーザー制御変数、シェルスクリプトコンテキスト内でGitHub Actionsワークフロー内で直接使用しないようにしてください。コードインジェクションを防ぐために、入力の検証とサニタイズを実装してください。脆弱性分析と重要アラートをメールでお届けします。
It's a critical code injection vulnerability in WilderForge Autosplitter, allowing attackers to execute arbitrary commands via malicious pull request reviews within GitHub Actions workflows.
If you're using WilderForge Autosplitter versions prior to 36.0.1, you are potentially affected. Review your project dependencies and workflows immediately.
Upgrade to version 36.0.1 or later of the Autosplitter component. If immediate upgrade isn't possible, implement strict input validation on user-controlled variables in your GitHub Actions workflows.
No active campaigns have been publicly reported yet, but the vulnerability's severity suggests a high likelihood of exploitation. Monitor for any signs of compromise.
Refer to the official WilderForge project documentation and security advisories for detailed information and updates on this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。