CVE-2025-53104
Description
gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2@gluestack-style/animation-resolver@1.0.3, @gluestack-style/animation-resolver@1.0.4, @gluestack-style/babel-plugin-styled-resolver@1.0.6, …+ 1 more
- (no CPE)range: @gluestack-style/animation-resolver@1.0.3, @gluestack-style/animation-resolver@1.0.4, @gluestack-style/babel-plugin-styled-resolver@1.0.6, …
- (no CPE)range: < e6b4271
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.