AI description
CVE-2025-54416 refers to a critical command injection vulnerability found in the tj-actions/branch-names GitHub Action. This vulnerability affects versions 8.2.1 and below. The tj-actions/branch-names GitHub Action is a utility used to retrieve branch and tag names during CI/CD operations. It is often used to trigger tests or deployment workflows. The vulnerability stems from the misuse of shell commands within the action's code, specifically related to inconsistent input sanitization and unescaped output. By using `eval`, any specially crafted branch name or tag can trigger command execution during CI workflows. An attacker could create a branch with a malicious payload that, when a pull request is opened, executes arbitrary commands on GitHub-hosted runners. This could lead to the exfiltration of sensitive secrets, unauthorized write access, injection of malicious code, or compromise of the CI/CD pipeline.
- Description
- tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.3
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-77
- Hype score
- Not currently trending
Critical Command Injection Vulnerability in tj-actions/branch-names GitHub Action - CVE-2025-54416 Update to the latest version now to secure your workflows and protect against potential exploits. Read More: https://t.co/sG4YrSEgg4 #GitHubActions #CVE202554416 #Security #CI_CD h
@vulert_official
28 Jul 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical command injection flaw (CVE-2025-54416, CVSS 9.1) in tj-actions/branch-names GitHub Action allows arbitrary code execution in workflows, affecting over 5,000 public repositories. #GitHubActions #CommandInjection #CVE #Cybersecurity #CI_CD https://t.co/1dszfGVXqp
@the_yellow_fall
28 Jul 2025
1151 Impressions
8 Retweets
24 Likes
1 Bookmark
1 Reply
0 Quotes
GitHub Action「tj-actions/branch-names」に深刻なコマンドインジェクションの脆弱性(CVE-2025-54416、CVSS 9.1)が発見された。 これは5,000以上の公開リポジトリに影響を与える恐れがあり、CI/CDパイプライン全体の安全性
@yousukezan
28 Jul 2025
3345 Impressions
7 Retweets
33 Likes
18 Bookmarks
0 Replies
2 Quotes
CVE-2025-54416 tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and belo… https://t.co/7XAQnSSIOJ
@CVEnew
26 Jul 2025
369 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-54416: CRITICAL] Critical security vulnerability identified in tj-actions/branch-names GitHub Action workflow version 8.2.1 & below. Update to version 9.0.0 to patch a risk of arbitrary command exe...#cve,CVE-2025-54416,#cybersecurity https://t.co/GLm5LGFGeQ https:/
@CveFindCom
26 Jul 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes