CVE-2020-15228 in @actions core
Summary
by MITRE • 10/04/2020
In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users should upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/15/2020
The vulnerability described in CVE-2020-15228 represents a critical security flaw within the GitHub Actions ecosystem that affects the @actions/core npm module version 1.2.5 and earlier. This issue stems from the improper handling of workflow commands that are processed by the Actions Runner through stdout communication channels. The vulnerability specifically impacts the addPath and exportVariable functions which are designed to modify the execution environment of GitHub Actions workflows. When workflows log untrusted data to stdout, these functions can be inadvertently triggered, allowing malicious actors to manipulate the system path or environment variables without the workflow author's knowledge or consent. This represents a classic command injection vulnerability where legitimate workflow commands become vectors for unauthorized system modifications.
The technical implementation of this vulnerability occurs through the specific string formatting conventions used by the Actions Runner to process workflow commands. The runner expects certain formatted strings on stdout to execute commands like set-env and add-path, which are designed to modify environment variables and system paths respectively. When untrusted input is logged to stdout within a workflow, it can inadvertently match the expected format of these commands, causing the runner to execute unintended modifications. This behavior creates a significant attack surface where malicious input could potentially modify PATH variables to include malicious executables or set environment variables to compromise workflow execution integrity. The vulnerability is categorized under CWE-74 as a "Improper Neutralization of Special Elements in Output Used by a Downstream Component" and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter.
The operational impact of this vulnerability extends beyond simple environment variable manipulation to potentially enable more sophisticated attacks within the GitHub Actions environment. Attackers who can inject malicious data into workflows that use the affected functions could redirect execution paths, load malicious libraries, or escalate privileges within the runner environment. The vulnerability particularly affects CI/CD pipelines where workflows might process untrusted inputs from external sources, such as user contributions in pull requests or external API responses. As noted in the advisory, the Actions Runner will eventually disable the set-env and add-path commands entirely, making this vulnerability increasingly dangerous as older workflows continue to operate without proper mitigation. The transition period between the vulnerability disclosure and the eventual command disabling creates a window where workflows remain susceptible to these attacks.
Organizations and developers must immediately upgrade to @actions/core version 1.2.6 or later to address this vulnerability, as the older versions contain the insecure implementation of the affected functions. The recommended mitigation strategy involves replacing legacy workflow commands with the new Environment File Syntax, which provides a more secure mechanism for modifying environment variables and paths. This approach eliminates the direct stdout command injection vector by using dedicated files for environment modifications instead of relying on command parsing from stdout streams. The new Environment File Syntax, which is documented in the GitHub Actions documentation, uses files located at specific paths within the runner environment to safely communicate environment changes. Additionally, developers should implement input validation and sanitization practices to ensure that any data logged to stdout within workflows cannot inadvertently trigger the vulnerable command parsing logic. The transition to the new syntax also aligns with security best practices recommended by the Open Web Application Security Project and follows the principle of least privilege by reducing the attack surface available to malicious inputs.