CVE-2025-54430

CVE-2025-54430 affects the Deduplicate (dedupe) Python library. The issue resides in the GitHub Actions workflow .github/workflows/benchmark-bot.yml, where an issue_comment can trigger and cause untrusted code to run because the workflow checks out the PR branch via ${{ github.event.issue.number ...

CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...

GHSA-PHF6-HM3H-X8QP Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Summary Using Issuecomment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUBTOKEN which can be used to completely overtake the repo since the token has...

CVE-2021-21423 Exposure of Version-Control Repository to an Unauthorized Control Sphere in projen

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...

CVE-2021-21423

CVE-2021-21423 concerns the projen build tool. The issue centers on the rebuild-bot GitHub workflow (triggered by issue_comment with @projen rebuild) which runs with the repository’s GITHUB_TOKEN and could allow untrusted code to affect the main branch, potentially exposing secrets or altering co...