CVE-2021-32724 – CVE-2021-32724 is a critical vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2021-32724?

CVE-2021-32724 has a CVSS score of 9.9 (CRITICAL). CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers to steal GITHUB_TOKEN secrets via crafted pull requests. This enables unauthorized commits to repositories, potentially exposing all repository secrets. Affected users are those using check-spelling action with pull_request_target or schedule triggers.

📋 TL;DR

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers to steal GITHUB_TOKEN secrets via crafted pull requests. This enables unauthorized commits to repositories, potentially exposing all repository secrets. Affected users are those using check-spelling action with pull_request_target or schedule triggers.

💻 Affected Systems

Products:

check-spelling GitHub Action

Versions: All versions before commit 436362fc6b588d9d561cbdb575260ca593c8dc56

Operating Systems: All platforms running GitHub Actions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects workflows using pull_request_target or schedule triggers with check-spelling action.

📦 What is this software?

Check Spelling by Check Spelling

View all CVEs affecting Check Spelling →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete repository compromise: attacker gains write access, steals all repository secrets, injects malicious code, and potentially compromises downstream systems.

🟠

Likely Case

Unauthorized code commits leading to secret exfiltration and repository integrity breach.

🟢

If Mitigated

Limited to read-only access with no secret exposure if proper permissions are configured.

🌐 Internet-Facing: HIGH - Attackers can exploit via public pull requests without authentication.

🏢 Internal Only: LOW - Requires external attacker interaction through public repository interfaces.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires creating a malicious pull request to a vulnerable repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 436362fc6b588d9d561cbdb575260ca593c8dc56 and later

Vendor Advisory: https://github.com/check-spelling/check-spelling/security/advisories/GHSA-g86g-chm8-7r2p

Restart Required: No

Instructions:

1. Update check-spelling action to latest version using @main reference. 2. For pinned versions, update SHA to 436362fc6b588d9d561cbdb575260ca593c8dc56 or later. 3. Apply to all repository branches.

🔧 Temporary Workarounds

Disable vulnerable workflows

all

Temporarily disable check-spelling workflows until patched

Restrict GitHub Actions

all

Set repository to allow only specific verified actions

Reduce GITHUB_TOKEN permissions

all

Set workflow permissions to read-only for repository contents

🧯 If You Can't Patch

Disable check-spelling action entirely
Remove pull_request_target and schedule triggers from affected workflows
Implement manual spell checking processes

🔍 How to Verify

Check if Vulnerable:

Check workflow YAML files for check-spelling usage with pull_request_target or schedule triggers and verify version is pre-fix.

Check Version:

Inspect .github/workflows/*.yml files for check-spelling references and version/SHA

Verify Fix Applied:

Confirm workflow uses check-spelling@main or SHA 436362fc6b588d9d561cbdb575260ca593c8dc56 or later.

📡 Detection & Monitoring

Log Indicators:

Unexpected GITHUB_TOKEN usage in pull request workflows
Unauthorized commits from check-spelling action

Network Indicators:

Unusual API calls from GitHub Actions to repository secrets

SIEM Query:

source="github-actions" AND action="check-spelling" AND trigger="pull_request_target"

📊 Metadata

CVE ID: CVE-2021-32724

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-532

Published: September 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/check-spelling/check-spelling/commit/436362fc6b588d9d561cbdb575260ca593c8dc56 Patch,Third Party Advisory
https://github.com/check-spelling/check-spelling/security/advisories/GHSA-g86g-chm8-7r2p Mitigation,Third Party Advisory
https://github.com/check-spelling/check-spelling/commit/436362fc6b588d9d561cbdb575260ca593c8dc56 Patch,Third Party Advisory
https://github.com/check-spelling/check-spelling/security/advisories/GHSA-g86g-chm8-7r2p Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32724, you might also want to check these: