HIGH · CVSS 8.5
Class vulnerability — pull_request_target with secret leak
pull_request_target gives the workflow access to repo secrets; checking out the PR head ref can run attacker code with secrets in env.
Affects
- GitHub Actions using pull_request_target trigger with checkout of PR head
What an attacker does
Attacker forks repo, opens PR with malicious workflow modification. pull_request_target trigger runs the malicious workflow with repo secrets in scope.
How to detect
Audit .github/workflows/ for pull_request_target + checkout of head ref
How to fix
Use pull_request (not pull_request_target) for unprivileged review; gate pull_request_target on label/role check
Securie findinghigh · CVSS 8.5
CVE-2024-XXXXHow Securie catches CVE-2024-XXXX
Securie's GithubActionsRule (static-rules) + iac_security specialist.
Scan my repo for CVE-2024-XXXX →Securie scans every PR · free during early access