CVE-2025-54430
📋 TL;DR
A critical vulnerability in dedupe's GitHub Actions workflow allows attackers to execute arbitrary code by manipulating pull request comments. This could lead to repository takeover through stolen GitHub tokens with write permissions. Only users running dedupe's development workflows from unpatched versions are affected.
💻 Affected Systems
- dedupe
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete repository takeover allowing attackers to push malicious code, steal secrets, and compromise downstream users.
Likely Case
Unauthorized code execution in CI/CD pipeline leading to token theft and potential supply chain attacks.
If Mitigated
No impact if workflow is disabled or repository uses patched version.
🎯 Exploit Status
Exploitation requires only GitHub account access to comment on PRs; no technical barriers exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 3f61e79 or later
Vendor Advisory: https://github.com/dedupeio/dedupe/security/advisories/GHSA-wrg3-xqw8-m85p
Restart Required: No
Instructions:
1. Update to commit 3f61e79 or later. 2. Remove or disable .github/workflows/benchmark-bot.yml if not needed. 3. Rotate any potentially exposed GitHub tokens.
🔧 Temporary Workarounds
Disable vulnerable workflow
allTemporarily disable the benchmark-bot.yml workflow to prevent exploitation
mv .github/workflows/benchmark-bot.yml .github/workflows/benchmark-bot.yml.disabled
Restrict workflow triggers
allModify workflow to only run from trusted sources
Edit .github/workflows/benchmark-bot.yml to remove issue_comment trigger or add branch restrictions
🧯 If You Can't Patch
- Disable GitHub Actions entirely for the repository
- Implement branch protection rules requiring reviews before workflow execution
🔍 How to Verify
Check if Vulnerable:
Check if .github/workflows/benchmark-bot.yml exists and contains the vulnerable issue_comment trigger patternCheck Version:
git log --oneline | head -5Verify Fix Applied:
Verify commit hash includes 3f61e79 or check that benchmark-bot.yml no longer uses ${{ github.event.issue.number }} for checkout📡 Detection & Monitoring
Log Indicators:
- Unexpected workflow runs triggered by issue comments
- Benchmark bot executions from unfamiliar PRs
Network Indicators:
- Unusual outbound connections from GitHub Actions runners
SIEM Query:
source="github-actions" AND workflow="benchmark-bot" AND trigger="issue_comment"