Code injection vulnerability in versions 1.13.2 thru 1.13.5

Moderate

rjdbcm published GHSA-2487-9f55-2vg9

May 10, 2025

Package

OZI-Project/ozi-publish (GitHub Actions)

Affected versions

>=1.13.2

Patched versions

1.13.6

Description

Impact

Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

Patches

This is patched in 1.13.6

Workarounds

Downgrade to <1.13.2

References

Understanding the Risk of Script Injections

Weaknesses

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval). Learn more on MITRE.

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Learn more on MITRE.