GHSA-hw6r-g8gj-2987
Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)
Blast Radius
https://github.com/pytorch/pytorch/.github/actions/filter-test-configsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects GitHub Actions packages — download data is not available via public APIs for these ecosystems.
Description
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Details
The filter-test-configs workflow is using the raw github.event.workflow_run.head_branch value inside the filter step:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "${{ github.event.workflow_run.head_branch }}"
In the event of a repository using filter-test-configs in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.
name: Example
on: pull_request_target
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Filter
uses: pytorch/pytorch/.github/actions/filter-test-configs@v2
Impact
This issue may lead to stealing workflow secrets.
Remediation
- Use an intermediate environment variable for potentially attacker-controlled values such as
github.event.workflow_run.head_branch:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "$HEAD_BRANCH"
Resources
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦GitHub Actions | https://github.com/pytorch/pytorch/.github/actions/filter-test-configs | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for https://github.com/pytorch/pytorch/.github/actions/filter-test-configs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of https://github.com/pytorch/pytorch/.github/actions/filter-test-configs has shipped for GHSA-hw6r-g8gj-2987 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hw6r-g8gj-2987 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-hw6r-g8gj-2987. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-hw6r-g8gj-2987 in your dependencies?
O3 detects GHSA-hw6r-g8gj-2987 across GitHub Actions dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.