GHSL-2025-090: Code injection in Github Actions with privileged context in harvester

Coordinated Disclosure Timeline

• 2025-08-04: Reported to security-rancher@suse.com
• 2025-08-06: Issue fixed

Summary

A code injection vulnerability (GHSL-2025-090) was identified in the latest main branch of the harvester/harvester project, where improper handling of inputs in GitHub Actions with privileged context could allow attackers to execute arbitrary code. This poses a significant security risk, especially if exploited in environments with elevated permissions.

Project

harvester/harvester

Tested Version

latest main branch

Details

Code injection in Github Actions with privileged context (GHSL-2025-090)

Vulnerability Description

The GitHub action at ‘.github/workflows/issue-management-link-backport-pr.yaml’ contains a code injection vulnerability at line 23. The vulnerability exists in the following code:

title=$(cat <<EOF
"${{ github.event.pull_request.title }}"
EOF
)

The action evaluates user input from github.event.pull_request.title, which can lead to code injection with maliciously crafted title.

The workflow is triggered by pull_request_target on opened events targeting the master and v* branches (lines 4-8):

on:
  pull_request_target:
    types: [ opened ]
    branches:
    - master
    - "v*"

As the workflow is triggered by pull_request_target, which is a high privileged trigger that runs in the repository’s trusted context. This means the workflow can be triggered by an attacker and runs with repository permissions.

In addition, the workflow also contains a custom GitHub token that can be extracted (lines 38-39):

GITHUB_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}

The code injection vulnerability could potentially lead to these secrets being exposed.

Impact

This issue may lead to code execution in a high privileged context

Credit

This issue was discovered by CodeQL and an AI agent developed by the GitHub Security Lab and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-090 in any communication regarding this issue.