Critical severity9.9NVD Advisory· Published Sep 17, 2024· Updated Apr 15, 2026

CVE-2024-45798

Description

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The arduino-esp32 CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in tests_results.yml workflow (GHSL-2024-169) and environment Variable injection (GHSL-2024-170). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

codeql.github.com/codeql-query-help/javascript/js-actions-command-injectionnvd
github.com/espressif/arduino-esp32/blob/690bdb511d9f001e2066da2dda2c631a3eee270f/.github/workflows/tests_results.ymlnvd
github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8nvd
securitylab.github.com/research/github-actions-preventing-pwn-requestsnvd
securitylab.github.com/research/github-actions-untrusted-inputnvd

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000