H3-2025-0010¶

GitHub Actions Ref Confusion

Description¶

GitHub Actions workflows that reference actions using ambiguous symbolic references such as '@v1', which can point to either a branch or a tag, are susceptible to ref confusion attacks using branches or tags with the same name.

Impact¶

An attacker could exploit this ambiguity by creating a malicious branch or tag with the same name, potentially causing the workflow to execute unintended and potentially harmful code.

References¶

• Zizmor Documentation
• CWE-706: Use of Incorrectly-Resolved Name or Reference