Vulnerability Description
tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e3752166
- https://github.com/tj-actions/branch-names/releases/tag/v9.0.0
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2
FAQ
What is CVE-2025-54416?
CVE-2025-54416 is a vulnerability with a CVSS score of 9.1 (CRITICAL). tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has be...
How severe is CVE-2025-54416?
CVE-2025-54416 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-54416?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.