H3-2025-0005¶

GitHub Actions Dangerous Triggers

Description¶

GitHub Actions that use the dangerous triggers pull_request_target or workflow_run run in the context of the target repository and are typically triggerable by the target repository.

Impact¶

This can lead to attacker controlled code execution or unexpected action runs with context controlled by a malicious fork.

References¶

• GitHub Security Article
• MITRE ATT&CK Technique: T1546: Event Triggered Execution