GHSA-2487-9f55-2vg9

Опубликовано: 12 мая 2025

Источник: github

Github: Прошло ревью

CVSS4: 6.3

Описание

OZI-Project/ozi-publish Code Injection vulnerability

Impact

Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

Patches

This is patched in 1.13.6

Workarounds

Downgrade to <1.13.2

References

Understanding the Risk of Script Injections

Ссылки

Пакеты

Наименование

OZI-Project/publish

actions

Затронутые версииВерсия исправления

>= 1.13.2, < 1.13.6

1.13.6

EPSS

Процентиль: 20%

0.00063

Низкий

6.3 Medium

CVSS4

CVE ID

CVE-2025-47271

Дефекты

CWE-1116

CWE-94

CWE-95

Связанные уязвимости

CVE-2025-47271

nvd

3 месяца назад

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

EPSS

Процентиль: 20%

0.00063

Низкий

6.3 Medium

CVSS4

CVE ID

CVE-2025-47271

Дефекты

CWE-1116

CWE-94

CWE-95