Hello maintainers,
I would like to report a potential vulnerability in your GitHub CI workflows.
Affected files:
- lgallard/terraform-aws-backup/.github/workflows/claude-code-review.yml
Vulnerability:
- In job 'claude', step 'Workflow Summary', attacker-controlled PR file names from 'steps.changes.outputs.changed_files' and commit metadata from 'steps.verify-state.outputs' are spliced into the 'run' shell command, enabling direct command injection.
Thank you for your time and for maintaining this project.
Hello maintainers,
I would like to report a potential vulnerability in your GitHub CI workflows.
Affected files:
Vulnerability:
Thank you for your time and for maintaining this project.