CVE-2025-54416
📋 TL;DR
This vulnerability in tj-actions/branch-names GitHub Action allows arbitrary command execution in downstream workflows due to improper input sanitization. Attackers can exploit specially crafted branch names or tags to execute malicious commands. Users of versions 8.2.1 and below are affected.
💻 Affected Systems
- tj-actions/branch-names GitHub Action
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CI/CD pipeline, allowing attackers to steal secrets, modify code, deploy malicious artifacts, or pivot to internal systems.
Likely Case
Unauthorized code execution in GitHub Actions workflows, potentially leading to secret exfiltration or repository manipulation.
If Mitigated
Limited impact with proper branch protection rules, code review requirements, and restricted workflow permissions.
🎯 Exploit Status
Exploitation requires ability to create branches or tags in target repository, which may be restricted by repository settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.0
Vendor Advisory: https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6
Restart Required: No
Instructions:
1. Update tj-actions/branch-names reference in GitHub Actions workflows to v9.0.0 or later. 2. Replace any version references like v8 or v8.2.1 with v9. 3. Commit and push changes to trigger workflows with fixed version.
🔧 Temporary Workarounds
Pin to specific safe version
allManually specify a safe older version while planning upgrade
In workflow YAML: uses: tj-actions/branch-names@v8.2.0
Implement branch protection rules
allRestrict who can create branches/tags and require reviews
🧯 If You Can't Patch
- Disable or remove workflows using tj-actions/branch-names
- Implement strict branch protection rules and require code reviews for all workflow changes
🔍 How to Verify
Check if Vulnerable:
Check GitHub Actions workflow YAML files for references to tj-actions/branch-names with version v8.2.1 or earlier, or using major version v8.Check Version:
grep -r "tj-actions/branch-names" .github/workflows/Verify Fix Applied:
Confirm workflow files reference tj-actions/branch-names@v9.0.0 or later, or use major version v9.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution in GitHub Actions logs
- Suspicious branch or tag names containing shell metacharacters
Network Indicators:
- Unusual outbound connections from GitHub Actions runners
SIEM Query:
source="github-actions" AND "tj-actions/branch-names" AND (version="8.*" OR version="v8.*")🔗 References
- https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f
- https://github.com/tj-actions/branch-names/releases/tag/v9.0.0
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6
