CVE-2025-47271

Sažetak

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

Reference

https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c
https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

12-05-2025 - 17:32

Objavljeno

12-05-2025 - 11:15