H3-2025-0016¶
GitHub Actions Cache Poisoning
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 5.0 |
Description¶
This vulnerability happens when release workflows leverage build state cached from previous workflow executions, in general on top of the aforementioned actions or similar ones. The publication of artifacts usually happens driven by trigger events like release or events with path filters like push (e.g. for tags).
Impact¶
Allows an attacker to retrieve payloads from poisoned cache entries, hence achieving code execution at Workflow runtime, potentially compromising ready-to-publish artifacts.