Medium severityNVD Advisory· Published May 12, 2025· Updated Apr 15, 2026

CVE-2025-47271

Description

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
OZI-Project/publishGitHub Actions	>= 1.13.2, < 1.13.6	1.13.6

Patches

abd8524ec698

https://github.com/ozi-project/publishvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2487-9f55-2vg9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-47271ghsaADVISORY
github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5cnvdWEB
github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000