平台
javascript
组件
wilderforge/wilderforge
修复版本
5.2.2
1.0.1
0.4.3
36.0.1
1.0.2
1.3.2
1.9.2
0.5.2
WilderForge is a Wildermyth coremodding API, and a critical vulnerability has been discovered in multiple projects utilizing it, specifically impacting the Autosplitter component. This vulnerability stems from the unsafe handling of user-controlled variables, particularly within GitHub Actions workflows. Malicious actors can exploit this by crafting pull request reviews containing shell metacharacters, leading to arbitrary code execution on the GitHub Actions runner.
The impact of CVE-2025-49013 is severe due to the potential for arbitrary command execution. An attacker successfully submitting a malicious pull request review could gain complete control over the GitHub Actions runner environment. This could involve stealing sensitive credentials stored on the runner, modifying project files, deploying malicious code, or even pivoting to other systems accessible from the runner. The blast radius extends to any data processed or stored by the affected GitHub Actions workflows, potentially impacting the entire Wildermyth project and its users. This vulnerability shares similarities with other code injection flaws where user input is directly incorporated into shell commands without proper sanitization.
CVE-2025-49013 was published on 2025-06-09. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the widespread use of GitHub Actions. While no active campaigns have been publicly reported as of this writing, the vulnerability's severity warrants immediate attention and proactive mitigation. The vulnerability is not currently listed on KEV or EPSS, but its critical nature suggests it may be added in the future.
漏洞利用状态
EPSS
0.50% (66% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-49013 is to immediately upgrade to version 36.0.1 or later of the Autosplitter component. Prior to upgrading, assess the potential impact on existing workflows and consider a staged rollout to minimize disruption. If an immediate upgrade is not feasible, implement stricter input validation on all user-controlled variables used within GitHub Actions workflows. Specifically, sanitize or escape any input that might contain shell metacharacters. Consider using parameterized workflows or alternative methods to avoid direct shell command execution with user-provided data. After upgrading, confirm the fix by attempting to submit a pull request review containing shell metacharacters and verifying that the workflow does not execute arbitrary code.
禁用受影响存储库中的 GitHub Actions 或删除易受攻击的工作流。确保不要在 GitHub Actions 工作流中直接在 shell 脚本上下文中,使用诸如 `${{ github.event.review.body }}` 之类的用户控制变量。实施输入验证和清理,以防止代码注入。漏洞分析和关键警报直接发送到您的邮箱。
It's a critical code injection vulnerability in WilderForge Autosplitter, allowing attackers to execute arbitrary commands via malicious pull request reviews within GitHub Actions workflows.
If you're using WilderForge Autosplitter versions prior to 36.0.1, you are potentially affected. Review your project dependencies and workflows immediately.
Upgrade to version 36.0.1 or later of the Autosplitter component. If immediate upgrade isn't possible, implement strict input validation on user-controlled variables in your GitHub Actions workflows.
No active campaigns have been publicly reported yet, but the vulnerability's severity suggests a high likelihood of exploitation. Monitor for any signs of compromise.
Refer to the official WilderForge project documentation and security advisories for detailed information and updates on this vulnerability.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。