Environment Variable Injection in GitHub Actions

Vulnerability

Overview

The @actions/core npm module prior to version 1.2.6 contains a command injection vulnerability in the addPath and exportVariable functions. These functions communicate with the GitHub Actions Runner by writing specially formatted strings to stdout. If a workflow logs untrusted data (e.g., user-controlled input or output from a compromised step) to stdout, that data may be interpreted as a runner command, allowing an attacker to modify the PATH or environment variables without the workflow author's intent [1][3].

Exploitation

Prerequisites

An attacker must be able to inject untrusted content into the stdout stream of a GitHub Actions workflow. This could occur when a workflow logs user-supplied data, such as from a pull request title or issue comment, or when a malicious action writes crafted output. No additional authentication is required beyond the workflow's execution context; the runner processes all stdout lines for command sequences [3].

Impact

Successful exploitation enables an attacker to alter environment variables or the system PATH. This can lead to arbitrary code execution if the modified PATH causes the runner to execute a malicious binary, or to data exfiltration by setting environment variables that influence subsequent steps. The vulnerability is rated with a CVSS score of 8.2 (High) [1].

Mitigation

The GitHub Actions Runner will disable the set-env and add-path commands in a future update. As an immediate fix, users should upgrade @actions/core to version 1.2.6 or later and replace any usage of set-env or add-path with the new Environment File Syntax. Workflows using the old commands will first receive warnings, then errors, preventing execution [1][3].