The vulnerability exists because the claude-code-action checks out the head of a pull request, which is controlled by the PR author, and then runs the Claude CLI, which reads configuration files like .mcp.json from the current working directory. An attacker could submit a PR with a malicious .mcp.json file that specifies commands to be executed, leading to remote code execution on the GitHub Actions runner.
The analysis of the patch between versions 1.0.73 and 1.0.74 reveals the exact fix. The commit 9ddce40de8c1ab71fb6303a125fdad0968dc1312 introduces a sanitization step.
The primary vulnerable function is run in src/entrypoints/run.ts. This function orchestrates the action's execution. Before the patch, it would directly proceed to install and run the Claude CLI without cleaning the workspace. The patch modifies this run function to call a new function, restoreConfigFromBase, before any configuration is read.
The new restoreConfigFromBase function, located in src/github/operations/restore-config.ts, is the mitigation. It uses git commands to delete a list of sensitive paths (e.g., .mcp.json, .claude/) from the PR's checkout and then restores them with the versions from the trusted base branch. This ensures that any malicious configuration from the attacker is overwritten before the CLI can read it.
Therefore, during exploitation of a vulnerable version, the run function would be on the call stack as it sets up the environment where the malicious configuration is processed by the Claude CLI. The presence of restoreConfigFromBase in a runtime profile would indicate that the patched, non-vulnerable version is being used.