Summary
A critical command injection vulnerability was discovered in the discord-pr-notify.yml GitHub Actions workflow of the RooCodeInc/Roo-Code repository. The workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner.
Impact
The vulnerability’s impact is severe due to the workflow running with broad permissions and access to repository secrets. An attacker could:
- Execute arbitrary commands on the runner.
- Push or modify code in the repository.
- Access sensitive secrets, such as webhook credentials.
- Create malicious releases or packages.
This could result in a complete compromise of the repository and its associated services.
Resolution
The vulnerable workflow has been removed, and all affected secrets have been rotated.
yaronav Reporter
Summary
A critical command injection vulnerability was discovered in the discord-pr-notify.yml GitHub Actions workflow of the RooCodeInc/Roo-Code repository. The workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner.
Impact
The vulnerability’s impact is severe due to the workflow running with broad permissions and access to repository secrets. An attacker could:
This could result in a complete compromise of the repository and its associated services.
Resolution
The vulnerable workflow has been removed, and all affected secrets have been rotated.