Moderate severityNVD Advisory· Published Jul 19, 2024· Updated Aug 2, 2024

Custom environment variables allow to alter execution flow of plugins in Woodpecker

CVE-2024-41122

Description

Malicious pipelines in Woodpecker CI/CD server allow unauthenticated users to override plugin entrypoints, leading to host takeover and secret extraction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Malicious pipelines in Woodpecker CI/CD server allow unauthenticated users to override plugin entrypoints, leading to host takeover and secret extraction.

Vulnerability

Analysis

CVE-2024-41122 is an improper input validation vulnerability in Woodpecker, an open-source CI/CD engine. The server permits any user who can create a pipeline to define malicious workflows. These workflows can either lead to a host takeover of the agent executing the pipeline or extract secrets that would normally be provided to plugins [1]. The root cause is the lack of restrictions on setting arbitrary environment variables and plugin entrypoints, which allows an attacker to manipulate the execution environment [2].

Exploitation

The vulnerability is exploitable by any authenticated user who can trigger a pipeline run. No special privileges are required beyond the ability to create or run workflows. The attacker craftes a commands_step or plugin_step that overwrites the plugin entrypoint by setting environment variables such as PLUGIN_ENTRYPOINT and PATH [3]. Because the server did not blocklist these sensitive variables, the malicious step can execute arbitrary commands on the agent host. The attack is network-based; the malicious workflow definition is submitted via the Woodpecker API or web interface [4].

Impact

Successful exploitation grants the attacker two primary capabilities: first, arbitrary code execution on the agent host, effectively a host takeover; second, extraction of secrets that would otherwise be securely passed to legitimate plugins (e.g., API tokens, registry credentials). The CVSSv4 score is currently not provided by NVD, but the vendor considers this a high-severity issue [1].

Mitigation

The vulnerability has been fixed in Woodpecker version 2.7.0, released on 2024-07-18 [2]. The fix includes a blocklist of environment variables that could alter plugin execution, disallowing arbitrary environments for plugins, and ensuring plugins only mount the workspace base in a predefined location [3]. There are no known workarounds; users are strongly advised to upgrade immediately [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
go.woodpecker-ci.org/woodpecker/v2Go	< 2.7.0	2.7.0
go.woodpecker-ci.org/woodpeckerGo	< 2.7.0	2.7.0

Affected products

ghsa-coords2 versions
pkg:golang/go.woodpecker-ci.org/woodpecker pkg:golang/go.woodpecker-ci.org/woodpecker/v2
< 2.7.0+ 1 more
- (no CPE)range: < 2.7.0
- (no CPE)range: < 2.7.0
Woodpecker Ci/Woodpeckerv5
Range: < 2.7.0

Patches

805c3156f857

🎉 Release 2.7.0 (#3793)

https://github.com/woodpecker-ci/woodpeckerwoodpecker-botJul 18, 2024via osv

commit

1 file changed · +90 −0

CHANGELOG.md+90 −0 modified

@@ -1,5 +1,95 @@
 # Changelog
 
+## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18
+
+### ❤️ Thanks to all contributors! ❤️
+
+@6543, @anbraten, @dvjn, @hhamalai, @lafriks, @pat-s, @qwerty287, @smainz, @tongjicoder, @zc-devs
+
+### 🔒 Security
+
+- Add blocklist of environment variables who could alter execution of plugins [[#3934](https://github.com/woodpecker-ci/woodpecker/pull/3934)]
+- Make sure plugins only mount the workspace base in a predefinde location [[#3933](https://github.com/woodpecker-ci/woodpecker/pull/3933)]
+- Disallow to set arbitrary environments for plugins [[#3909](https://github.com/woodpecker-ci/woodpecker/pull/3909)]
+- Use proper oauth state [[#3847](https://github.com/woodpecker-ci/woodpecker/pull/3847)]
+- Enhance token checking [[#3842](https://github.com/woodpecker-ci/woodpecker/pull/3842)]
+- Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[#3834](https://github.com/woodpecker-ci/woodpecker/pull/3834)]
+
+### ✨ Features
+
+- Gracefully shutdown server [[#3896](https://github.com/woodpecker-ci/woodpecker/pull/3896)]
+- Gracefully shutdown agent [[#3895](https://github.com/woodpecker-ci/woodpecker/pull/3895)]
+- Convert urls in logs to links  [[#3904](https://github.com/woodpecker-ci/woodpecker/pull/3904)]
+- Allow login using multiple forges [[#3822](https://github.com/woodpecker-ci/woodpecker/pull/3822)]
+- Global and organization registries [[#1672](https://github.com/woodpecker-ci/woodpecker/pull/1672)]
+- Cli get repo from git remote [[#3830](https://github.com/woodpecker-ci/woodpecker/pull/3830)]
+- Add api for forges [[#3733](https://github.com/woodpecker-ci/woodpecker/pull/3733)]
+
+### 📈 Enhancement
+
+- Cli fix pipeline logs [[#3913](https://github.com/woodpecker-ci/woodpecker/pull/3913)]
+- Migrate to github.com/urfave/cli/v3 [[#2951](https://github.com/woodpecker-ci/woodpecker/pull/2951)]
+- Allow to change the working directory also for plugins and services [[#3914](https://github.com/woodpecker-ci/woodpecker/pull/3914)]
+- Remove `unplugin-icons` [[#3809](https://github.com/woodpecker-ci/woodpecker/pull/3809)]
+- Release windows binaries as zip file [[#3906](https://github.com/woodpecker-ci/woodpecker/pull/3906)]
+- Convert to openapi 3.0 [[#3897](https://github.com/woodpecker-ci/woodpecker/pull/3897)]
+- Enhance pipeline list [[#3898](https://github.com/woodpecker-ci/woodpecker/pull/3898)]
+- Add user registries UI [[#3888](https://github.com/woodpecker-ci/woodpecker/pull/3888)]
+- Sort users by login [[#3891](https://github.com/woodpecker-ci/woodpecker/pull/3891)]
+- Exclude dummy backend in production [[#3877](https://github.com/woodpecker-ci/woodpecker/pull/3877)]
+- Fix deploy task env [[#3878](https://github.com/woodpecker-ci/woodpecker/pull/3878)]
+- Get default branch and show message in pipeline list [[#3867](https://github.com/woodpecker-ci/woodpecker/pull/3867)]
+- Add timestamp for last work done by agent [[#3844](https://github.com/woodpecker-ci/woodpecker/pull/3844)]
+- Adjust logger types [[#3859](https://github.com/woodpecker-ci/woodpecker/pull/3859)]
+- Cleanup state reporting [[#3850](https://github.com/woodpecker-ci/woodpecker/pull/3850)]
+- Unify DB tables/columns [[#3806](https://github.com/woodpecker-ci/woodpecker/pull/3806)]
+- Let webhook pass on pipeline parsing error [[#3829](https://github.com/woodpecker-ci/woodpecker/pull/3829)]
+- Exclude mocks from release build [[#3831](https://github.com/woodpecker-ci/woodpecker/pull/3831)]
+- K8s secrets reference from step [[#3655](https://github.com/woodpecker-ci/woodpecker/pull/3655)]
+
+### 🐛 Bug Fixes
+
+- Handle empty repositories in gitea when listing PRs [[#3925](https://github.com/woodpecker-ci/woodpecker/pull/3925)]
+- Update alpine package dep for docker images [[#3917](https://github.com/woodpecker-ci/woodpecker/pull/3917)]
+- Don't report error if agent was terminated gracefully [[#3894](https://github.com/woodpecker-ci/woodpecker/pull/3894)]
+- Let agents continuously report their health [[#3893](https://github.com/woodpecker-ci/woodpecker/pull/3893)]
+- Ignore warnings for cli exec [[#3868](https://github.com/woodpecker-ci/woodpecker/pull/3868)]
+- Correct favicon states [[#3832](https://github.com/woodpecker-ci/woodpecker/pull/3832)]
+- Cleanup of the login flow and tests [[#3810](https://github.com/woodpecker-ci/woodpecker/pull/3810)]
+- Fix newlines in logs [[#3808](https://github.com/woodpecker-ci/woodpecker/pull/3808)]
+- Fix authentication error handling [[#3807](https://github.com/woodpecker-ci/woodpecker/pull/3807)]
+
+### 📚 Documentation
+
+- Streamline docs for new users [[#3803](https://github.com/woodpecker-ci/woodpecker/pull/3803)]
+- Add mastodon verification [[#3843](https://github.com/woodpecker-ci/woodpecker/pull/3843)]
+- chore(deps): update docs npm deps non-major [[#3837](https://github.com/woodpecker-ci/woodpecker/pull/3837)]
+- fix(deps): update docs npm deps non-major [[#3824](https://github.com/woodpecker-ci/woodpecker/pull/3824)]
+- Add openSUSE package [[#3800](https://github.com/woodpecker-ci/woodpecker/pull/3800)]
+- chore(deps): update docs npm deps non-major [[#3798](https://github.com/woodpecker-ci/woodpecker/pull/3798)]
+- Add "Docker Tags" Plugin [[#3796](https://github.com/woodpecker-ci/woodpecker/pull/3796)]
+- chore(deps): update dependency marked to v13 [[#3792](https://github.com/woodpecker-ci/woodpecker/pull/3792)]
+- chore: fix some comments [[#3788](https://github.com/woodpecker-ci/woodpecker/pull/3788)]
+
+### Misc
+
+- chore(deps): update web npm deps non-major [[#3930](https://github.com/woodpecker-ci/woodpecker/pull/3930)]
+- chore(deps): update dependency vitest to v2 [[#3905](https://github.com/woodpecker-ci/woodpecker/pull/3905)]
+- fix(deps): update module github.com/google/go-github/v62 to v63 [[#3910](https://github.com/woodpecker-ci/woodpecker/pull/3910)]
+- chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[#3908](https://github.com/woodpecker-ci/woodpecker/pull/3908)]
+- Update plugin-git and add renovate trigger [[#3901](https://github.com/woodpecker-ci/woodpecker/pull/3901)]
+- chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[#3903](https://github.com/woodpecker-ci/woodpecker/pull/3903)]
+- fix(deps): update golang-packages [[#3875](https://github.com/woodpecker-ci/woodpecker/pull/3875)]
+- chore(deps): lock file maintenance [[#3876](https://github.com/woodpecker-ci/woodpecker/pull/3876)]
+- [pre-commit.ci] pre-commit autoupdate [[#3862](https://github.com/woodpecker-ci/woodpecker/pull/3862)]
+- Add dummy backend [[#3820](https://github.com/woodpecker-ci/woodpecker/pull/3820)]
+- chore(deps): update dependency replace-in-file to v8 [[#3852](https://github.com/woodpecker-ci/woodpecker/pull/3852)]
+- Update forgejo sdk [[#3840](https://github.com/woodpecker-ci/woodpecker/pull/3840)]
+- chore(deps): lock file maintenance [[#3838](https://github.com/woodpecker-ci/woodpecker/pull/3838)]
+- Allow to set dist dir using env var [[#3814](https://github.com/woodpecker-ci/woodpecker/pull/3814)]
+- chore(deps): lock file maintenance [[#3805](https://github.com/woodpecker-ci/woodpecker/pull/3805)]
+- chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[#3797](https://github.com/woodpecker-ci/woodpecker/pull/3797)]
+
 ## [2.6.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0) - 2024-06-13
 
 ### ❤️ Thanks to all contributors! ❤️

8aa3e5ec82c9

Disalow to set arbitrary environments for plugins (#3909)

https://github.com/woodpecker-ci/woodpecker6543Jul 14, 2024via ghsa

commit PR #3909

10 files changed · +224 −15

cmd/server/woodpecker_docs_gen.go+1 −1 modified

@@ -100,5 +100,5 @@ func toOpenApi3(input, output string) error {
 		return err
 	}
 
-	return os.WriteFile(output, data, 0644)
+	return os.WriteFile(output, data, 0o644)
 }

pipeline/frontend/yaml/linter/linter.go+11 −9 modified

@@ -117,7 +117,7 @@ func (l *Linter) lintContainers(config *WorkflowConfig, area string) error {
 				linterErr = multierr.Append(linterErr, err)
 			}
 		}
-		if err := l.lintCommands(config, container, area); err != nil {
+		if err := l.lintSettings(config, container, area); err != nil {
 			linterErr = multierr.Append(linterErr, err)
 		}
 	}
@@ -132,16 +132,18 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
 	return nil
 }
 
-func (l *Linter) lintCommands(config *WorkflowConfig, c *types.Container, field string) error {
-	if len(c.Commands) == 0 {
+func (l *Linter) lintSettings(config *WorkflowConfig, c *types.Container, field string) error {
+	if len(c.Settings) == 0 {
 		return nil
 	}
-	if len(c.Settings) != 0 {
-		var keys []string
-		for key := range c.Settings {
-			keys = append(keys, key)
-		}
-		return newLinterError(fmt.Sprintf("Cannot configure both commands and custom attributes %v", keys), config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
+	if len(c.Commands) != 0 {
+		return newLinterError("Cannot configure both commands and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
+	}
+	if len(c.Entrypoint) != 0 {
+		return newLinterError("Cannot configure both entrypoint and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
+	}
+	if len(c.Environment) != 0 {
+		return newLinterError("Cannot configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
 	}
 	return nil
 }

pipeline/frontend/yaml/linter/linter_test.go+12 −0 modified

@@ -157,6 +157,18 @@ func TestLintErrors(t *testing.T) {
 			from: "steps: { build: { image: golang, network_mode: 'container:name' }  }",
 			want: "Insufficient privileges to use network_mode",
 		},
+		{
+			from: "steps: { build: { image: golang, settings: { test: 'true' }, commands: [ 'echo ja', 'echo nein' ] } }",
+			want: "Cannot configure both commands and settings",
+		},
+		{
+			from: "steps: { build: { image: golang, settings: { test: 'true' }, entrypoint: [ '/bin/fish' ] } }",
+			want: "Cannot configure both entrypoint and settings",
+		},
+		{
+			from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
+			want: "Cannot configure both environment and settings",
+		},
 	}
 
 	for _, test := range testdata {

pipeline/frontend/yaml/linter/schema/schema.json+168 −3 modified

@@ -304,10 +304,24 @@
       }
     },
     "step": {
+      "description": "A step of your workflow executes either arbitrary commands or uses a plugin. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#steps",
+      "oneOf": [
+        {
+          "$ref": "#/definitions/commands_step"
+        },
+        {
+          "$ref": "#/definitions/entrypoint_step"
+        },
+        {
+          "$ref": "#/definitions/plugin_step"
+        }
+      ]
+    },
+    "commands_step": {
       "description": "Every step of your pipeline executes arbitrary commands inside a specified docker container. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#steps",
       "type": "object",
       "additionalProperties": false,
-      "required": ["image"],
+      "required": ["image", "commands"],
       "properties": {
         "name": {
           "description": "The name of the step. Can be used if using the array style steps list.",
@@ -334,8 +348,91 @@
         "secrets": {
           "$ref": "#/definitions/step_secrets"
         },
-        "settings": {
-          "$ref": "#/definitions/step_settings"
+        "when": {
+          "$ref": "#/definitions/step_when"
+        },
+        "volumes": {
+          "$ref": "#/definitions/step_volumes"
+        },
+        "group": {
+          "description": "deprecated, use depends_on",
+          "type": "string"
+        },
+        "depends_on": {
+          "description": "Execute a step after another step has finished.",
+          "oneOf": [
+            {
+              "type": "array",
+              "minLength": 1,
+              "items": {
+                "type": "string"
+              }
+            },
+            {
+              "type": "string"
+            }
+          ]
+        },
+        "detach": {
+          "description": "Detach a step to run in background until pipeline finishes. Read more: https://woodpecker-ci.org/docs/usage/services#detachment",
+          "type": "boolean"
+        },
+        "failure": {
+          "description": "How to handle the failure of this step. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#failure",
+          "type": "string",
+          "enum": ["fail", "ignore"],
+          "default": "fail"
+        },
+        "backend_options": {
+          "$ref": "#/definitions/step_backend_options"
+        },
+        "entrypoint": {
+          "description": "Defines container entrypoint.",
+          "oneOf": [
+            {
+              "type": "array",
+              "minLength": 1,
+              "items": {
+                "type": "string"
+              }
+            },
+            {
+              "type": "string"
+            }
+          ]
+        }
+      }
+    },
+    "entrypoint_step": {
+      "description": "Every step of your pipeline executes arbitrary commands inside a specified docker container. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#steps",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["image", "entrypoint"],
+      "properties": {
+        "name": {
+          "description": "The name of the step. Can be used if using the array style steps list.",
+          "type": "string"
+        },
+        "image": {
+          "$ref": "#/definitions/step_image"
+        },
+        "privileged": {
+          "$ref": "#/definitions/step_privileged"
+        },
+        "pull": {
+          "$ref": "#/definitions/step_pull"
+        },
+        "commands": {
+          "$ref": "#/definitions/step_commands"
+        },
+        "environment": {
+          "$ref": "#/definitions/step_environment"
+        },
+        "directory": {
+          "$ref": "#/definitions/step_directory"
+        },
+        "secrets": {
+          "$ref": "#/definitions/step_secrets"
         },
         "when": {
           "$ref": "#/definitions/step_when"
@@ -392,6 +489,74 @@
         }
       }
     },
+    "plugin_step": {
+      "description": "Plugins let you execute predefined functions in a more secure context. Read more: https://woodpecker-ci.org/docs/usage/plugins/overview",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["image"],
+      "properties": {
+        "name": {
+          "description": "The name of the step. Can be used if using the array style steps list.",
+          "type": "string"
+        },
+        "image": {
+          "$ref": "#/definitions/step_image"
+        },
+        "privileged": {
+          "$ref": "#/definitions/step_privileged"
+        },
+        "pull": {
+          "$ref": "#/definitions/step_pull"
+        },
+        "directory": {
+          "$ref": "#/definitions/step_directory"
+        },
+        "secrets": {
+          "$ref": "#/definitions/step_secrets"
+        },
+        "settings": {
+          "$ref": "#/definitions/step_settings"
+        },
+        "when": {
+          "$ref": "#/definitions/step_when"
+        },
+        "volumes": {
+          "$ref": "#/definitions/step_volumes"
+        },
+        "group": {
+          "description": "deprecated, use depends_on",
+          "type": "string"
+        },
+        "depends_on": {
+          "description": "Execute a step after another step has finished.",
+          "oneOf": [
+            {
+              "type": "array",
+              "minLength": 1,
+              "items": {
+                "type": "string"
+              }
+            },
+            {
+              "type": "string"
+            }
+          ]
+        },
+        "detach": {
+          "description": "Detach a step to run in background until pipeline finishes. Read more: https://woodpecker-ci.org/docs/usage/services#detachment",
+          "type": "boolean"
+        },
+        "failure": {
+          "description": "How to handle the failure of this step. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#failure",
+          "type": "string",
+          "enum": ["fail", "ignore"],
+          "default": "fail"
+        },
+        "backend_options": {
+          "$ref": "#/definitions/step_backend_options"
+        }
+      }
+    },
     "step_when": {
       "description": "Steps can be skipped based on conditions. Read more: https://woodpecker-ci.org/docs/usage/workflow-syntax#when---conditional-execution",
       "oneOf": [

pipeline/frontend/yaml/linter/schema/schema_test.go+10 −0 modified

@@ -116,6 +116,16 @@ func TestSchema(t *testing.T) {
 			testFile: ".woodpecker/test-custom-backend.yaml",
 			fail:     false,
 		},
+		{
+			name:     "Broken Plugin by environment",
+			testFile: ".woodpecker/test-broken-plugin.yaml",
+			fail:     true,
+		},
+		{
+			name:     "Broken Plugin by commands",
+			testFile: ".woodpecker/test-broken-plugin2.yaml",
+			fail:     true,
+		},
 	}
 
 	for _, tt := range testTable {

pipeline/frontend/yaml/linter/schema/.woodpecker/test-broken-plugin2.yaml+8 −0 added

@@ -0,0 +1,8 @@
+steps:
+  publish:
+    image: plugins/docker
+    settings:
+      repo: foo/bar
+      tags: latest
+    commands:
+      - env

pipeline/frontend/yaml/linter/schema/.woodpecker/test-broken-plugin.yaml+8 −0 added

@@ -0,0 +1,8 @@
+steps:
+  publish:
+    image: plugins/docker
+    settings:
+      repo: foo/bar
+      tags: latest
+    environment:
+      CGO: 0

pipeline/frontend/yaml/linter/schema/.woodpecker/test-step.yaml+1 −1 modified

@@ -18,7 +18,7 @@ steps:
     image: alpine
     entrypoint: ['some_entry', '--some-flag']
 
-  singla-entrypoint:
+  single-entrypoint:
     image: alpine
     entrypoint: some_entry

pipeline/frontend/yaml/types/container.go+3 −1 modified

@@ -123,7 +123,9 @@ func (c *ContainerList) UnmarshalYAML(value *yaml.Node) error {
 }
 
 func (c *Container) IsPlugin() bool {
-	return len(c.Commands) == 0 && len(c.Entrypoint) == 0
+	return len(c.Commands) == 0 &&
+		len(c.Entrypoint) == 0 &&
+		len(c.Environment) == 0
 }
 
 func (c *Container) IsTrustedCloneImage() bool {

pipeline/log/utils_test.go+2 −0 modified

@@ -131,6 +131,8 @@ func TestCopyLineByLineSizeLimit(t *testing.T) {
 	if _, err := w.Write([]byte("67\n89")); err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
+	// wait for writer to write
+	time.Sleep(time.Millisecond)
 
 	writes = testWriter.GetWrites()
 	assert.Lenf(t, testWriter.GetWrites(), 2, "expected 2 writes, got: %v", writes)

31a45e56331a

Add blocklist of environment variables who could alter execution of plugins (#3934)

https://github.com/woodpecker-ci/woodpecker6543Jul 18, 2024via osv

commit PR #3934

3 files changed · +60 −1

flake.nix+1 −0 modified

@@ -18,6 +18,7 @@
             gnumake
             gnutar
             zip
+            tree
 
             # frontend
             nodejs_20

pipeline/frontend/yaml/compiler/convert.go+6 −1 modified

@@ -131,9 +131,14 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 			return nil, err
 		}
 
+		toUpperTarget := strings.ToUpper(requested.Target)
+		if !environmentAllowed(toUpperTarget, stepType) {
+			continue
+		}
+
 		environment[requested.Target] = secretValue
 		// TODO: deprecated, remove in 3.x
-		environment[strings.ToUpper(requested.Target)] = secretValue
+		environment[toUpperTarget] = secretValue
 	}
 
 	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {

pipeline/frontend/yaml/compiler/environment.go+53 −0 added

@@ -0,0 +1,53 @@
+// Copyright 2024 Woodpecker Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package compiler
+
+import backend_types "go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
+
+/* cSpell:disable */
+
+var binaryVars = []string{
+	"PATH",                         // Specifies directories to search for executable files
+	"PATH_SEPARATOR",               // Defines the separator used in the PATH variable
+	"COMMAND_MODE",                 // (macOS): Can affect how certain commands are interpreted
+	"DYLD_FALLBACK_FRAMEWORK_PATH", // (macOS): Specifies additional locations to search for frameworks
+	"DYLD_FALLBACK_LIBRARY_PATH",   // (macOS): Specifies additional locations to search for libraries
+}
+
+var libraryVars = []string{
+	"LD_PRELOAD",            // Specifies shared libraries to be loaded before all others
+	"LD_LIBRARY_PATH",       // Specifies directories to search for shared libraries before the standard locations
+	"LD_AUDIT",              // Specifies a shared object to be used for auditing
+	"LD_BIND_NOW",           // Forces all relocations to be processed immediately
+	"LD_PROFILE",            // Specifies a shared object to be used for profiling
+	"LIBPATH",               // (AIX): Similar to LD_LIBRARY_PATH on AIX systems
+	"DYLD_INSERT_LIBRARIES", // (macOS): Similar to LD_PRELOAD on macOS
+	"DYLD_LIBRARY_PATH",     // (macOS): Similar to LD_LIBRARY_PATH on macOS
+}
+
+/* cSpell:enable */
+
+func environmentAllowed(envKey string, stepType backend_types.StepType) bool {
+	switch stepType {
+	case backend_types.StepTypePlugin,
+		backend_types.StepTypeClone:
+		for _, v := range append(binaryVars, libraryVars...) {
+			if envKey == v {
+				return false
+			}
+		}
+	}
+	return true
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3wf2-2pq4-4rvcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-41122ghsaADVISORY
github.com/woodpecker-ci/woodpecker-security/issues/10ghsax_refsource_MISCWEB
github.com/woodpecker-ci/woodpecker/commit/8aa3e5ec82c92eca3279e4be68625111eeedf1c4ghsaWEB
github.com/woodpecker-ci/woodpecker/issues/3929ghsax_refsource_MISCWEB
github.com/woodpecker-ci/woodpecker/pull/3909ghsax_refsource_MISCWEB
github.com/woodpecker-ci/woodpecker/pull/3934ghsax_refsource_MISCWEB
github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvcghsax_refsource_CONFIRMWEB
pkg.go.dev/vuln/GO-2024-2998ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000