CVE-2025-54430 Overview
CVE-2025-54430 is a Command Injection vulnerability affecting the dedupe Python library, which uses machine learning to perform fuzzy matching, deduplication, and entity resolution on structured data. The vulnerability exists in the .github/workflows/benchmark-bot.yml GitHub Actions workflow file, where unsanitized input from pull request comments can trigger execution of untrusted code from attacker-controlled branches.
Critical Impact
Successful exploitation could lead to exfiltration of the GITHUB_TOKEN with write permissions on critical scopes including repository contents, potentially enabling full repository takeover.
Affected Products
- dedupe Python library (versions prior to commit 3f61e79)
- GitHub repositories using the vulnerable benchmark-bot.yml workflow
- Projects forking or using dedupe's CI/CD workflow configuration
Discovery Timeline
- 2025-07-30 - CVE CVE-2025-54430 published to NVD
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2025-54430
Vulnerability Analysis
This vulnerability stems from insecure handling of GitHub Actions workflow triggers in the dedupe repository. The vulnerable workflow benchmark-bot.yml is configured to respond to issue_comment events containing the @benchmark trigger phrase. When triggered, the workflow performs a checkout operation using the expression ${{ github.event.issue.number }}, which references the pull request branch number associated with the comment.
The fundamental security flaw lies in the workflow's design: it checks out code from a branch that can be controlled by external contributors. An attacker could create a malicious pull request containing arbitrary code, then trigger the benchmark workflow by commenting @benchmark on their own PR. This causes the CI system to execute whatever code exists in the attacker's branch within a privileged context.
The GITHUB_TOKEN available in this workflow context has elevated write permissions across multiple scopes, most critically the contents scope. Extraction of this token would allow an attacker to push code directly to protected branches, modify releases, or otherwise compromise the integrity of the repository.
Root Cause
The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), specifically manifesting as unsafe interpolation of user-controlled data (github.event.issue.number) in a GitHub Actions checkout operation. The workflow fails to validate that the checked-out code originates from a trusted source before executing it.
Attack Vector
The attack can be executed remotely over the network without any authentication. An attacker can exploit this vulnerability by:
- Forking the dedupe repository
- Creating a branch containing malicious code designed to exfiltrate the GITHUB_TOKEN (e.g., sending it to an attacker-controlled server)
- Opening a pull request from their fork to the upstream dedupe repository
- Commenting @benchmark on their own pull request
- The workflow triggers, checks out the attacker's malicious branch, and executes the untrusted code with access to the repository's GITHUB_TOKEN
The malicious code could exfiltrate secrets through various channels including HTTP requests to external servers, DNS exfiltration, or encoding data in workflow outputs. Once the GITHUB_TOKEN is obtained, the attacker gains write access to repository contents, enabling potential supply chain attacks.
Detection Methods for CVE-2025-54430
Indicators of Compromise
- Unexpected comments containing @benchmark on pull requests from external contributors
- Workflow runs triggered by issue_comment events from unknown or suspicious users
- Unusual outbound network requests during GitHub Actions workflow execution
- Unauthorized commits or changes to repository branches, especially protected branches
- New or modified workflow files in the .github/workflows directory
Detection Strategies
- Audit GitHub Actions workflow runs for executions triggered by issue_comment events
- Review repository audit logs for unexpected push events or permission changes
- Monitor for pull requests from untrusted forks that receive workflow-triggering comments
- Implement GitHub Advanced Security or third-party tools to scan workflows for unsafe patterns
Monitoring Recommendations
- Enable GitHub repository audit logging and forward logs to a SIEM for analysis
- Configure alerts for workflow runs on pull requests from external contributors
- Monitor for secrets or tokens appearing in workflow logs or external data breach databases
- Review GitHub Actions usage patterns for anomalies in timing or frequency of benchmark-bot executions
How to Mitigate CVE-2025-54430
Immediate Actions Required
- Update the dedupe repository to include commit 3f61e79 or later
- Rotate any GITHUB_TOKEN or secrets that may have been exposed if the vulnerability was exploited
- Audit recent workflow runs for signs of malicious activity or unauthorized executions
- Review repository commit history for any unauthorized changes to critical files
Patch Information
The vulnerability is fixed in commit 3f61e79102910bd355e920a2df7e44c14c9cb247. Users should update their dedupe installation or fork to include this commit. The fix addresses the unsafe checkout behavior by ensuring the workflow does not execute code from untrusted pull request branches with elevated permissions.
For more details, see the GitHub Security Advisory GHSA-wrg3-xqw8-m85p and the fix commit.
Workarounds
- Disable or remove the benchmark-bot.yml workflow until the patch can be applied
- Restrict workflow permissions using GitHub's permission configuration to reduce GITHUB_TOKEN scope
- Configure branch protection rules to require reviews for all pull requests before merge
- Use pull_request_target event with explicit security controls instead of issue_comment triggers on PR branches
# Configuration example: Restrict workflow permissions in repository settings
# In .github/workflows/benchmark-bot.yml, add permissions block:
permissions:
contents: read
pull-requests: read
# This limits GITHUB_TOKEN to read-only access, reducing impact if exploited
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
