| Título | vercel ai @ai-sdk/[email protected] OS Command Injection (CWE-78) |
|---|
| Descrição | # Technical Details
A Command Injection vulnerability exists in the `run` method in `.github/workflows/prettier-on-automerge.yml` of vercel/ai.
The application fails to sanitize inputs inserted into shell execution contexts, using an unsafe direct string interpolation method (`${{ github.event.pull_request.head.ref }}`). An attacker opening a PR with a carefully crafted branch name can execute arbitrary bash commands in the runner's sandbox.
# Vulnerable Code
File: .github/workflows/prettier-on-automerge.yml
Method: run block (lines 54-68)
Why: The workflow explicitly interleaves user-controlled GitHub action contexts (`pull_request.head.ref`) inside bash pipelines without mapping them through intermediate environmental variables (`env:`).
# Reproduction
1. Create a pull request leveraging a Git branch formed with command-substitution injection syntax, such as `$(echo${IFS}PWNED_BY_COMMAND_INJECTION>/tmp/pwned)`.
2. Push the branch to the external repository.
3. Observe that when the `prettier-on-automerge.yml` pipeline triggers, the bash execution bypasses format bounds and establishes payload functionality on the build host.
# Impact
- Authorized Sandbox Execution allowing attackers to intercept CI/CD deployments and poison release artifacts leading to supply chain compromises.
- Extraction of GitHub deployment security tokens and credential compromise (`VERCEL_AI_SDK_GITHUB_APP_PRIVATE_KEY_PKCS8` or `GH_TOKEN`). |
|---|
| Fonte | ⚠️ https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0 |
|---|
| Utilizador | Eric-d (UID 96861) |
|---|
| Submissão | 23/04/2026 14h41 (há 1 mês) |
|---|
| Moderação | 17/05/2026 11h28 (24 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 364392 [vercel ai até 3.0.97 PR Branch Name Interpolation prettier-on-automerge.yml run Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|