Coordinated Disclosure Timeline

Summary

A vulnerability was identified in the latest main branch of the ag2ai/faststream project where the GitHub Actions workflow pr_autoupdate.yaml checks out untrusted code, potentially allowing attackers to execute arbitrary code in a privileged context (GHSL-2025-094).

Project

ag2ai/faststream

Tested Version

latest main branch

Checking out of untrusted code in Github Actions pr_autoupdate.yaml may lead to code execution in privileged context

Vulnerability Details

The GitHub action at .github/workflows/pr_autoupdate.yaml is checking out untrusted code. Below is the code snippet from the file:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ secrets.AUTOMERGE_TOKEN }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.head_ref }}
          persist-credentials: false

It then invocates pip install, but by now, the code where pip install is run is based on that of the PR branch. In particular, by creating a malicious setup.py file in the PR branch, a malicious attacker can execute arbitrary code in the high privileged context of pull_request_target.

The workflow also uses the secret AUTOMERGE_TOKEN at line 24, which could be exfiltrated by code execution.

In addition, the workflow grants contents: write permission, which gives the code execution write privilege to contents.

Impact

This issue may lead to code execution in a privileged context in a GitHub workflow.

Credit

This issue was discovered by CodeQL and an AI agent developed by the GitHub Security Lab and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-094 in any communication regarding this issue.