H3-2025-0014¶

GitHub Actions Insecure Commands

Description¶

Workflow commands (e.g. '::set-env' and '::add-path') were deprecated by GitHub in 2020 due to their inherent weaknesses, which can lead to potential code injection.

Impact¶

Using these commands can leave your workflow open to exploitation, potentially allowing attackers to manipulate environment variables and execute arbitrary code.

References¶

• Zizmor Documentation
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')