Medium severityOSV Advisory· Published May 12, 2025· Updated Apr 15, 2026
CVE-2025-47271
CVE-2025-47271
Description
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OZI-Project/publishGitHub Actions | >= 1.13.2, < 1.13.6 | 1.13.6 |
Affected products
2- Range: 0.1.0, 0.1.1, 0.1.10, …
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.