| عنوان | vercel ai @ai-sdk/[email protected] OS Command Injection (CWE-78) |
|---|
| الوصف | # Technical Details
A Command Injection vulnerability exists in the `run` method in `.github/workflows/prettier-on-automerge.yml` of vercel/ai.
The application fails to sanitize inputs inserted into shell execution contexts, using an unsafe direct string interpolation method (`${{ github.event.pull_request.head.ref }}`). An attacker opening a PR with a carefully crafted branch name can execute arbitrary bash commands in the runner's sandbox.
# Vulnerable Code
File: .github/workflows/prettier-on-automerge.yml
Method: run block (lines 54-68)
Why: The workflow explicitly interleaves user-controlled GitHub action contexts (`pull_request.head.ref`) inside bash pipelines without mapping them through intermediate environmental variables (`env:`).
# Reproduction
1. Create a pull request leveraging a Git branch formed with command-substitution injection syntax, such as `$(echo${IFS}PWNED_BY_COMMAND_INJECTION>/tmp/pwned)`.
2. Push the branch to the external repository.
3. Observe that when the `prettier-on-automerge.yml` pipeline triggers, the bash execution bypasses format bounds and establishes payload functionality on the build host.
# Impact
- Authorized Sandbox Execution allowing attackers to intercept CI/CD deployments and poison release artifacts leading to supply chain compromises.
- Extraction of GitHub deployment security tokens and credential compromise (`VERCEL_AI_SDK_GITHUB_APP_PRIVATE_KEY_PKCS8` or `GH_TOKEN`). |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0 |
|---|
| المستخدم | Eric-d (UID 96861) |
|---|
| ارسال | 23/04/2026 02:41 PM (1 شهر منذ) |
|---|
| الاعتدال | 17/05/2026 11:28 AM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 364392 [vercel ai حتى 3.0.97 PR Branch Name Interpolation prettier-on-automerge.yml run تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|