H3-2025-0015¶

GitHub Actions Dangerous Environment Variable Writes

Description¶

The use of GITHUB_ENV and GITHUB_PATH environment variables may allow an attacker to set arbitrary variables.

Impact¶

When used in workflows with dangerous triggers (such as pull_request_target and workflow_run), GITHUB_ENV and GITHUB_PATH can be an arbitrary code execution risk.

References¶

• Zizmor Documentation
• CWE-454: External Initialization of Trusted Variables or Data Stores