CVE-2025-49013 (GCVE-0-2025-49013)
Vulnerability from cvelistv5 – Published: 2025-06-09 12:47 – Updated: 2025-06-09 14:11
VLAI?
Summary
WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows.
Severity ?
10 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WilderForge | WilderForge |
Affected:
< 5.2.1.0 (com.wildermods.workspace:com.wildermods.workspace.gradle.plugin)
Affected: < 1.0.0.5 (com.wildermods:ExampleMod) Affected: < 0.4.2.0 (com.wildermods:WilderForge) Affected: < 36a1107de6a77f8353dd0aa14690aa3c7c3550ef (com.wildermods:autosplitter) Affected: < 1.0.1.0 (com.wildermods:dlc_disabler) Affected: < 1.3.1.0 (com.wildermods:masshash) Affected: < 1.9.1.0 (com.wildermods:provider) Affected: < 0.5.1.0 (com.wildermods:thrixlvault) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T14:11:02.929304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T14:11:43.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WilderForge",
"vendor": "WilderForge",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.1.0 (com.wildermods.workspace:com.wildermods.workspace.gradle.plugin)"
},
{
"status": "affected",
"version": "\u003c 1.0.0.5 (com.wildermods:ExampleMod)"
},
{
"status": "affected",
"version": "\u003c 0.4.2.0 (com.wildermods:WilderForge)"
},
{
"status": "affected",
"version": "\u003c 36a1107de6a77f8353dd0aa14690aa3c7c3550ef (com.wildermods:autosplitter)"
},
{
"status": "affected",
"version": "\u003c 1.0.1.0 (com.wildermods:dlc_disabler)"
},
{
"status": "affected",
"version": "\u003c 1.3.1.0 (com.wildermods:masshash)"
},
{
"status": "affected",
"version": "\u003c 1.9.1.0 (com.wildermods:provider)"
},
{
"status": "affected",
"version": "\u003c 0.5.1.0 (com.wildermods:thrixlvault)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T12:47:29.163Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5"
},
{
"name": "https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection",
"tags": [
"x_refsource_MISC"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection"
},
{
"name": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#preventing-script-injection",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#preventing-script-injection"
},
{
"name": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injection",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injection"
},
{
"name": "https://securitylab.github.com/research/github-actions-untrusted-input",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/research/github-actions-untrusted-input"
}
],
"source": {
"advisory": "GHSA-m6r3-c73x-8fw5",
"discovery": "UNKNOWN"
},
"title": "WilderForge vulnerable to code Injection via GitHub Actions Workflows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49013",
"datePublished": "2025-06-09T12:47:29.163Z",
"dateReserved": "2025-05-29T16:34:07.176Z",
"dateUpdated": "2025-06-09T14:11:43.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49013\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-09T13:15:23.803\",\"lastModified\":\"2025-06-12T16:06:47.857\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows.\"},{\"lang\":\"es\",\"value\":\"WilderForge es una API de modificaci\u00f3n de n\u00facleos de Wildermyth. Se ha identificado una vulnerabilidad cr\u00edtica en varios proyectos de la organizaci\u00f3n WilderForge. El problema surge del uso inseguro de `${{ github.event.review.body }}` y otras variables controladas por el usuario directamente dentro de contextos de scripts de shell en flujos de trabajo de GitHub Actions. Esto introduce una vulnerabilidad de inyecci\u00f3n de c\u00f3digo: un actor malicioso que env\u00ede una revisi\u00f3n de solicitud de extracci\u00f3n manipulada que contenga metacaracteres o comandos de shell podr\u00eda ejecutar c\u00f3digo de shell arbitrario en el ejecutor de GitHub Actions. Esto puede provocar la ejecuci\u00f3n de comandos arbitrarios con los permisos del flujo de trabajo, lo que podr\u00eda comprometer la infraestructura de CI, los secretos y los resultados de la compilaci\u00f3n. Los desarrolladores que mantienen o contribuyen a los repositorios WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash o WilderForge/DLC_Disabler, as\u00ed como los usuarios que bifurcan cualquiera de los repositorios mencionados y reutilizan los flujos de trabajo de GitHub Actions afectados, se ven afectados. Los usuarios finales de cualquiera de los software mencionados y los usuarios que solo instalan versiones o artefactos precompilados no se ven afectados. Esta vulnerabilidad no afecta el comportamiento en tiempo de ejecuci\u00f3n del software ni las salidas compiladas, a menos que estas se hayan generado durante la explotaci\u00f3n de esta vulnerabilidad. Una soluci\u00f3n alternativa actual es deshabilitar GitHub Actions en los repositorios afectados o eliminar los flujos de trabajo afectados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-95\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"references\":[{\"url\":\"https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#preventing-script-injection\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injection\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://securitylab.github.com/research/github-actions-untrusted-input\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49013\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-09T14:11:02.929304Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-09T14:11:25.342Z\"}}], \"cna\": {\"title\": \"WilderForge vulnerable to code Injection via GitHub Actions Workflows\", \"source\": {\"advisory\": \"GHSA-m6r3-c73x-8fw5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WilderForge\", \"product\": \"WilderForge\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.2.1.0 (com.wildermods.workspace:com.wildermods.workspace.gradle.plugin)\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.0.0.5 (com.wildermods:ExampleMod)\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.4.2.0 (com.wildermods:WilderForge)\"}, {\"status\": \"affected\", \"version\": \"\u003c 36a1107de6a77f8353dd0aa14690aa3c7c3550ef (com.wildermods:autosplitter)\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.0.1.0 (com.wildermods:dlc_disabler)\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.3.1.0 (com.wildermods:masshash)\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.9.1.0 (com.wildermods:provider)\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.5.1.0 (com.wildermods:thrixlvault)\"}]}], \"references\": [{\"url\": \"https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5\", \"name\": \"https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection\", \"name\": \"https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#preventing-script-injection\", \"name\": \"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#preventing-script-injection\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injection\", \"name\": \"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injection\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://securitylab.github.com/research/github-actions-untrusted-input\", \"name\": \"https://securitylab.github.com/research/github-actions-untrusted-input\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-95\", \"description\": \"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-09T12:47:29.163Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49013\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-09T14:11:43.631Z\", \"dateReserved\": \"2025-05-29T16:34:07.176Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-09T12:47:29.163Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…