H3-2025-0012¶

GitHub Actions Template Injection

Description¶

GitHub Actions workflows often use templates to automate various tasks. These templates dynamically incorporate data, which may originate from untrusted sources such as user comments or external API responses. When such data is integrated into templates without sanitization or validation, it can potentially be manipulated to alter the template's logic or inject malicious code. Once the manipulated template is rendered as part of the workflow, the injected code can execute with the same privileges as the workflow itself.

Impact¶

Injecting malicious code into templates can allow an attacker to execute arbitrary commands within the workflow, potentially leading to unauthorized access to secrets or system compromise.

References¶

• GitHub Security
• CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine