CVE-2025-49013 – This CVE describes a critical code injection vu... (How to Fix)

Q: What is the severity of CVE-2025-49013?

CVE-2025-49013 has a CVSS score of 9.9 (CRITICAL). This CVE describes a critical code injection vulnerability in WilderForge GitHub Actions workflows where user-controlled variables like ${{ github.event.review.body }} are used unsafely in shell script contexts. Attackers can submit malicious pull request reviews containing shell commands to execute arbitrary code on GitHub Actions runners, potentially compromising CI infrastructure, secrets, and build outputs. Only developers/maintainers of affected WilderForge repositories and users who fork/reuse vulnerable workflows are affected; end users of compiled software are not impacted.

📋 TL;DR

This CVE describes a critical code injection vulnerability in WilderForge GitHub Actions workflows where user-controlled variables like ${{ github.event.review.body }} are used unsafely in shell script contexts. Attackers can submit malicious pull request reviews containing shell commands to execute arbitrary code on GitHub Actions runners, potentially compromising CI infrastructure, secrets, and build outputs. Only developers/maintainers of affected WilderForge repositories and users who fork/reuse vulnerable workflows are affected; end users of compiled software are not impacted.

💻 Affected Systems

Products:

WilderForge/WilderForge
WilderForge/ExampleMod
WilderForge/WilderWorkspace
WilderForge/WildermythGameProvider
WilderForge/AutoSplitter
WilderForge/SpASM
WilderForge/thrixlvault
WilderForge/MassHash
WilderForge/DLC_Disabler

Versions: All versions using vulnerable GitHub Actions workflows

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects repositories with vulnerable GitHub Actions workflows; compiled software/runtime is not vulnerable. Forks of affected repositories that reuse workflows are also vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub Actions runner with access to repository secrets, ability to modify source code, exfiltrate sensitive data, and pivot to other systems in the CI/CD pipeline.

🟠

Likely Case

Execution of arbitrary commands on GitHub Actions runners leading to secret theft, build manipulation, or repository compromise.

🟢

If Mitigated

No impact if proper input validation and sanitization are implemented, or if GitHub Actions are disabled for affected repositories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit pull request reviews to affected repositories. Public proof-of-concept exists in security advisories and research papers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check individual repository security advisories

Vendor Advisory: https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5

Restart Required: No

Instructions:

1. Review GitHub Actions workflows in affected repositories. 2. Replace unsafe usage of ${{ github.event.review.body }} and similar variables with proper sanitization. 3. Follow GitHub's security hardening guidelines for preventing script injection. 4. Update workflows to use GitHub Actions expressions or proper escaping.

🔧 Temporary Workarounds

Disable GitHub Actions

all

Temporarily disable GitHub Actions in affected repositories to prevent exploitation

Navigate to repository Settings > Actions > Disable Actions for this repository

Remove Vulnerable Workflows

all

Delete or disable affected GitHub Actions workflow files

rm .github/workflows/[vulnerable-workflow-file].yml

🧯 If You Can't Patch

Disable pull request reviews from untrusted contributors
Implement manual review process for all pull requests before GitHub Actions execution

🔍 How to Verify

Check if Vulnerable:

Review GitHub Actions workflow files for unsafe usage of ${{ github.event.review.body }} or similar user-controlled variables in shell script contexts without proper sanitization.

Check Version:

Review workflow file contents and commit history; no specific version command available.

Verify Fix Applied:

Check that workflow files now use proper input validation, GitHub Actions expressions, or appropriate escaping for user-controlled variables.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in GitHub Actions logs
Unexpected environment variable modifications
Suspicious pull request review activity

Network Indicators:

Unexpected outbound connections from GitHub Actions runners
Data exfiltration patterns

SIEM Query:

source="github-actions" AND (command_injection_indicators OR suspicious_shell_patterns)

📊 Metadata

CVE ID: CVE-2025-49013

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.35% exploit probability (56.7th percentile)

Published: June 9, 2025

Last Updated: June 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49013, you might also want to check these: