6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-47271

GHSA ID

GHSA-2487-9f55-2vg9

EPSS Score

0.19773%

CWE

CWE-94

Published

5/12/2025

Updated

5/12/2025

KEV Status

Technology

GitHub Actions

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47271

CVE-2025-47271: OZI-Project/ozi-publish Code Injection vulnerability

Impact

Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

Patches

This is patched in 1.13.6

Workarounds

Downgrade to <1.13.2

References

Understanding the Risk of Script Injections

(GitHub Advisory)

6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-47271

GHSA ID

GHSA-2487-9f55-2vg9

EPSS Score

0.19773%

CWE

CWE-94

Published

5/12/2025

Updated

5/12/2025

KEV Status

Technology

GitHub Actions

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
OZI-Project/publish	actions	>= 1.13.2, < 1.13.6	1.13.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a GitHub Action defined in action.yml. Specifically, the 'Create pull request' step used a run command that directly interpolated GitHub context variables (like branch names) and inputs into a gh pr create shell command. The patch changes this to use environment variables, which is a standard mitigation for command injection in shell scripts. The vulnerable 'function' is considered to be the execution of this named step, as its run script contained the flawed command construction. A runtime profiler or logs for GitHub Actions would likely identify execution units by their step names. The patch diff clearly shows the removal of the vulnerable command string and its replacement with a safer method using environment variables.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Pot*nti*lly untrust** **t* *lows into PR *r**tion lo*i*. * m*li*ious **tor *oul* *onstru*t * *r*n** n*m* t**t inj**ts *r*itr*ry *o**. ### P*t***s T*is is p*t**** in *.**.* ### Work*roun*s *own*r*** to <*.**.* ### R***r*n**s * [Un**rst*

Reasoning

T** vuln*r**ility li*s in * *it*u* **tion ***in** in `**tion.yml`. Sp**i*i**lly, t** '*r**t* pull r*qu*st' st*p us** * `run` *omm*n* t**t *ir**tly int*rpol*t** *it*u* *ont*xt v*ri**l*s (lik* *r*n** n*m*s) *n* inputs into * `** pr *r**t*` s**ll *omm*n

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-47271: OZI-Project/ozi-publish Code Injection vulnerability

Impact

Patches

Workarounds

References

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI