- Description
- tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.3
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-77
- Hype score
- Not currently trending
#VulnerabilityReport #CICD Critical Command Injection (CVE-2025-54416) in tj-actions/branch-names GitHub Action Exposes 5,000+ Repos https://t.co/AAjP1wlnl7
@Komodosec
31 Aug 2025
124 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical Command Injection Vulnerability in tj-actions/branch-names GitHub Action - CVE-2025-54416 Update to the latest version now to secure your workflows and protect against potential exploits. Read More: https://t.co/sG4YrSEgg4 #GitHubActions #CVE202554416 #Security #CI_CD h
@vulert_official
28 Jul 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical command injection flaw (CVE-2025-54416, CVSS 9.1) in tj-actions/branch-names GitHub Action allows arbitrary code execution in workflows, affecting over 5,000 public repositories. #GitHubActions #CommandInjection #CVE #Cybersecurity #CI_CD https://t.co/1dszfGVXqp
@the_yellow_fall
28 Jul 2025
1151 Impressions
8 Retweets
24 Likes
1 Bookmark
1 Reply
0 Quotes
GitHub Action「tj-actions/branch-names」に深刻なコマンドインジェクションの脆弱性(CVE-2025-54416、CVSS 9.1)が発見された。 これは5,000以上の公開リポジトリに影響を与える恐れがあり、CI/CDパイプライン全体の安全性
@yousukezan
28 Jul 2025
3345 Impressions
7 Retweets
33 Likes
18 Bookmarks
0 Replies
2 Quotes
CVE-2025-54416 tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and belo… https://t.co/7XAQnSSIOJ
@CVEnew
26 Jul 2025
369 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-54416: CRITICAL] Critical security vulnerability identified in tj-actions/branch-names GitHub Action workflow version 8.2.1 & below. Update to version 9.0.0 to patch a risk of arbitrary command exe...#cve,CVE-2025-54416,#cybersecurity https://t.co/GLm5LGFGeQ https:/
@CveFindCom
26 Jul 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes