| 标题 | vercel ai @ai-sdk/[email protected] OS Command Injection (CWE-78) |
|---|
| 描述 | # Technical Details
A Command Injection vulnerability exists in the `run` method in `.github/workflows/prettier-on-automerge.yml` of vercel/ai.
The application fails to sanitize inputs inserted into shell execution contexts, using an unsafe direct string interpolation method (`${{ github.event.pull_request.head.ref }}`). An attacker opening a PR with a carefully crafted branch name can execute arbitrary bash commands in the runner's sandbox.
# Vulnerable Code
File: .github/workflows/prettier-on-automerge.yml
Method: run block (lines 54-68)
Why: The workflow explicitly interleaves user-controlled GitHub action contexts (`pull_request.head.ref`) inside bash pipelines without mapping them through intermediate environmental variables (`env:`).
# Reproduction
1. Create a pull request leveraging a Git branch formed with command-substitution injection syntax, such as `$(echo${IFS}PWNED_BY_COMMAND_INJECTION>/tmp/pwned)`.
2. Push the branch to the external repository.
3. Observe that when the `prettier-on-automerge.yml` pipeline triggers, the bash execution bypasses format bounds and establishes payload functionality on the build host.
# Impact
- Authorized Sandbox Execution allowing attackers to intercept CI/CD deployments and poison release artifacts leading to supply chain compromises.
- Extraction of GitHub deployment security tokens and credential compromise (`VERCEL_AI_SDK_GITHUB_APP_PRIVATE_KEY_PKCS8` or `GH_TOKEN`). |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0 |
|---|
| 用户 | Eric-d (UID 96861) |
|---|
| 提交 | 2026-04-23 14時41分 (1 月前) |
|---|
| 管理 | 2026-05-17 11時28分 (24 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 364392 [vercel ai 直到 3.0.97 PR Branch Name Interpolation prettier-on-automerge.yml run 权限提升] |
|---|
| 积分 | 20 |
|---|