Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.
This is patched in 1.13.6
Downgrade to <1.13.2
| Score | Percentile |
|---|---|
| 0.33% | 55.78% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2487-9f55-2vg9 ↗ |
| CVE | CVE-2025-47271 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| actions | OZI-Project/publish | >= 1.13.2, < 1.13.6 | 1.13.6 | — |