CVE-2023-27581 – CVE-2023-27581 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-27581?

CVE-2023-27581 has a CVSS score of 8.8 (HIGH). CVE-2023-27581 is a command injection vulnerability in github-slug-action that allows attackers to execute arbitrary code on GitHub runners by manipulating pull request branch names. Any GitHub user can exploit this against workflows using vulnerable versions of the action, potentially compromising CI/CD pipelines and stealing secrets. This affects all users of github-slug-action versions 4.0.0 through 4.4.0.

📋 TL;DR

CVE-2023-27581 is a command injection vulnerability in github-slug-action that allows attackers to execute arbitrary code on GitHub runners by manipulating pull request branch names. Any GitHub user can exploit this against workflows using vulnerable versions of the action, potentially compromising CI/CD pipelines and stealing secrets. This affects all users of github-slug-action versions 4.0.0 through 4.4.0.

💻 Affected Systems

Products:

github-slug-action

Versions: 4.0.0 through 4.4.0

Operating Systems: All GitHub Actions runners (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects workflows using github-slug-action on pull requests. The vulnerability is in how the action processes the github.head_ref parameter.

📦 What is this software?

Github Slug Action by Github Slug Action Project

View all CVEs affecting Github Slug Action →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub runners, exfiltration of all CI/CD secrets, unauthorized code execution in production environments, and lateral movement to connected systems.

🟠

Likely Case

Attackers execute arbitrary commands on runners, steal repository secrets, modify build artifacts, and potentially pivot to other systems in the CI/CD pipeline.

🟢

If Mitigated

With proper input validation and runner isolation, impact is limited to the specific runner instance, though secrets exposed to that runner would still be compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires GitHub account access to create pull requests, but any GitHub user can target public repositories. The attack is simple and well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.1

Vendor Advisory: https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w

Restart Required: No

Instructions:

1. Update your GitHub workflow YAML files to use github-slug-action@v4.4.1 or later. 2. Replace any references to older versions with: uses: rlespinasse/github-slug-action@v4.4.1. 3. Test your workflows to ensure compatibility.

🔧 Temporary Workarounds

Temporarily disable github-slug-action

all

Remove or comment out github-slug-action usage in workflows until patched

# Comment out: uses: rlespinasse/github-slug-action@v4

🧯 If You Can't Patch

Disable github-slug-action on pull request workflows by adding condition: if: github.event_name != 'pull_request'
Implement strict branch naming policies to prevent malicious branch names

🔍 How to Verify

Check if Vulnerable:

Inspect your .github/workflows/*.yml files for lines containing: uses: rlespinasse/github-slug-action@ and check if version is between 4.0.0 and 4.4.0

Check Version:

grep -r "rlespinasse/github-slug-action" .github/workflows/

Verify Fix Applied:

Confirm workflow files now specify: uses: rlespinasse/github-slug-action@v4.4.1 or later

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in GitHub Actions logs
Suspicious branch names containing shell metacharacters
Unexpected environment variable modifications

Network Indicators:

Unexpected outbound connections from GitHub runners during build process

SIEM Query:

source="github-actions" AND "github-slug-action" AND (branch_name CONTAINS "$" OR branch_name CONTAINS "`" OR branch_name CONTAINS "|")

📊 Metadata

CVE ID: CVE-2023-27581

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: March 13, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94 Patch
https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1 Release Notes
https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory
https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94 Patch
https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1 Release Notes
https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27581, you might also want to check these: