CVE-2025-54416
tj-actions/branch-names Contains Command Injection Vulnerability
In short
A GitHub Action tool that processes branch and tag names fails to properly sanitize its output, allowing attackers to inject malicious commands into workflows that use this tool. This can lead to arbitrary code execution in downstream workflows.
Technical detail
The action contains a command injection vulnerability (CWE-77) via unescaped output of branch/tag names. Despite internal sanitization, outputs are not properly escaped for shell contexts, allowing specially crafted branch names to break out and execute arbitrary commands in consuming workflows. Pre-conditions include using the vulnerable action versions (8.2.1 and below) and processing attacker-controlled branch or tag names.
Summary generated and translated by AI from the official description.
tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Affected products
tj-actions · branch-namesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →