CVE-2025-55192
Description
HomeAssistant-Tapo-Control offers Control for Tapo cameras as a Home Assistant component. Prior to commit 2a3b80f, there is a code injection vulnerability in the GitHub Actions workflow .github/workflows/issues.yml. It does not affect users of the Home Assistant integration itself — it only impacts the GitHub Actions environment for this repository. The vulnerable workflow directly inserted user-controlled content from the issue body (github.event.issue.body) into a Bash conditional without proper sanitization. A malicious GitHub user could craft an issue body that executes arbitrary commands on the GitHub Actions runner in a privileged context whenever an issue is opened. The potential impact is limited to the repository’s CI/CD environment, which could allow access to repository contents or GitHub Actions secrets. This issue has been patched via commit 2a3b80f. Workarounds involve disabling the affected workflow (issues.yml), replacing the unsafe Bash comparison with a safe quoted grep (or a pure GitHub Actions expression check), or ensuring minimal permissions in workflows (permissions: block) to reduce possible impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Code injection in HomeAssistant-Tapo-Control's GitHub Actions workflow allows arbitrary command execution via crafted issue body, impacting CI/CD secrets.
Vulnerability
The HomeAssistant-Tapo-Control repository contained a code injection vulnerability in its GitHub Actions workflow .github/workflows/issues.yml. The workflow directly inserted user-controlled content from the issue body (github.event.issue.body) into a Bash conditional without proper sanitization [1][2][3]. This allowed a malicious GitHub user to craft an issue body that could execute arbitrary commands on the GitHub Actions runner.
Exploitation
Any GitHub user who can open issues in the repository can trigger the vulnerable workflow. The issue body is evaluated in a Bash if statement, and because the content is not sanitized, an attacker can inject shell metacharacters to execute arbitrary commands [2][3]. The workflow runs in a privileged context, making the attack surface significant.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the GitHub Actions runner. This could lead to unauthorized access to repository contents and GitHub Actions secrets, potentially compromising the entire CI/CD pipeline [2][3]. The vulnerability does not affect users of the Home Assistant integration itself, only the repository's CI/CD environment.
Mitigation
The vulnerability has been patched in commit 2a3b80f by replacing the unsafe Bash comparison with a safe JavaScript evaluation using actions/github-script [1][3]. Workarounds include disabling the affected workflow (issues.yml), replacing the Bash comparison with a quoted grep or a pure GitHub Actions expression check, and ensuring minimal permissions in workflows [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21.0, 1.1, 1.2, …+ 1 more
- (no CPE)range: 1.0, 1.1, 1.2, …
- (no CPE)
Patches
12a3b80ff128dUpdate issues.yml
1 file changed · +22 −11
.github/workflows/issues.yml+22 −11 modified@@ -1,9 +1,16 @@ name: Autocloser + on: issues: types: [opened] + +permissions: + contents: read + issues: write + jobs: autoclose: + name: Autoclose template-mismatched issues runs-on: ubuntu-latest steps: - name: Autoclose issues that did not follow issue template @@ -12,26 +19,30 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-close-message: "@${issue.user.login} this issue was automatically closed because it did not follow the [Bug Report](https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/new?assignees=&labels=bug&template=bug_report.yml) or [Feature Request](https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/new?assignees=JurajNyiri&labels=enhancement&template=feature_request.md&title=Feature+Request%3A) template." issue-pattern: ".*Camera has all attributes filled out in developer tools.*|.*Is your feature request related to a problem.*" + autoclose-cloud-token: + name: Autoclose known FAQ matches runs-on: ubuntu-latest steps: - - name: Check issue description for invalid string + - name: Check issue description for known FAQ strings id: check_body - run: | - if [[ "${{ github.event.issue.body }}" == *"Invalid cloud password"* ]]; then - echo "contains_invalid_string=true" >> $GITHUB_ENV - elif [[ "${{ github.event.issue.body }}" == *"Invalid authentication data. Make sure you have created your 3rd party account via Tapo app."* ]]; then - echo "contains_invalid_string=true" >> $GITHUB_ENV - else - echo "contains_invalid_string=false" >> $GITHUB_ENV - fi + uses: actions/github-script@v7 + with: + result-encoding: string + script: | + const body = context.payload.issue?.body || ""; + const s1 = "Invalid cloud password"; + const s2 = "Invalid authentication data. Make sure you have created your 3rd party account via Tapo app."; + const matched = body.includes(s1) || body.includes(s2); + core.setOutput("contains_invalid_string", matched ? "true" : "false"); + - name: Close Issue - comment - if: env.contains_invalid_string == 'true' + if: steps.check_body.outputs.contains_invalid_string == 'true' uses: peter-evans/close-issue@v3 with: comment: | This issue was automatically closed because it matches a known [FAQ](https://github.com/JurajNyiri/HomeAssistant-Tapo-Control?tab=readme-ov-file#troubleshooting--faq) solution. Note: This action has been done automatically, owner is notified about this issue and if there is a need he will reopen. labels: | - Duplicate \ No newline at end of file + Duplicate
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.