CVE-2024-42471 in toolkit
Summary
by MITRE • 09/02/2024
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` before 2.1.7 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.7 or higher. There are no known workarounds for this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/21/2025
The vulnerability identified as CVE-2024-42471 affects the GitHub ToolKit library actions/artifact which is commonly used for developing GitHub Actions workflows. This security flaw resides in the artifact handling functionality of the toolkit and specifically impacts versions prior to 2.1.7. The vulnerability stems from inadequate input validation during artifact extraction processes, creating a path traversal condition that allows malicious actors to write files to arbitrary locations on the filesystem. The affected functions include downloadArtifactInternal, downloadArtifactPublic, and streamExtractExternal which are all susceptible to exploitation when processing specially crafted artifact files containing malicious path traversal sequences.
The technical implementation of this vulnerability follows a classic path traversal pattern where the artifact extraction process fails to properly sanitize or validate file paths contained within uploaded artifacts. When these functions process files with directory traversal sequences such as ../ or ..\ in their filenames, the system does not adequately restrict the destination paths, allowing attackers to write files outside of the intended extraction directory. This creates a privilege escalation scenario where unauthorized file system modifications can occur, potentially leading to code injection, data exfiltration, or system compromise. The vulnerability is particularly dangerous in automated CI/CD environments where GitHub Actions workflows execute with elevated privileges and may have access to sensitive infrastructure resources.
The operational impact of CVE-2024-42471 extends beyond simple file system manipulation as it represents a critical security weakness in the GitHub Actions ecosystem that could be exploited by attackers who gain access to artifact upload capabilities. In a typical CI/CD pipeline, compromised artifact repositories could allow adversaries to inject malicious code into the build process, potentially compromising the entire software supply chain. The vulnerability is particularly concerning because it affects the core artifact handling functionality that is fundamental to GitHub Actions operations, making it a high-value target for attackers seeking persistent access to development environments. Organizations utilizing GitHub Actions for automated builds, deployments, and testing are at risk of unauthorized file system modifications that could compromise the integrity of their entire development pipeline.
The recommended mitigation for CVE-2024-42471 is straightforward and aligns with standard security practices for addressing path traversal vulnerabilities. Organizations must upgrade their actions/artifact library to version 2.1.7 or higher to receive the patched implementation that properly validates and sanitizes file paths during artifact extraction processes. This upgrade addresses the root cause by implementing proper input validation that prevents directory traversal sequences from being processed as legitimate file paths. Security teams should also consider implementing additional controls such as artifact access restrictions, automated scanning of uploaded artifacts for malicious content, and monitoring for unauthorized file system modifications in CI/CD environments. The vulnerability classification aligns with CWE-22 Path Traversal and follows ATT&CK technique T1059.001 Command and Scripting Interpreter for potential exploitation paths that could lead to further system compromise.