Meshtastic GitHub Action Command Injection Vulnerability

A command injection vulnerability has been identified in the Meshtastic GitHub repository's Actions workflow. This issue arises in the 'main_matrix.yml' file, where user-controlled input is unsafely interpolated into shell commands. The vulnerability is triggered by the 'pull_request_target' event, which grants extensive permissions. An attacker could exploit this by creating a pull request from a forked repository, injecting unauthorized code that could be executed in the repository's context. The vulnerability affects versions 2.5.3 and prior, and has been patched in version 2.6.6.

Impact

Exploitation of this vulnerability could allow attackers to inject and execute unauthorized code within the repository. Such actions could lead to the deployment of backdoors, distribution of malware, and other significant security compromises.

Reproduction

To reproduce this vulnerability, fork the Meshtastic repository and create a pull request from the fork. The 'main_matrix.yml' GitHub Action will be triggered with elevated permissions. In the pull request, include a branch name that exploits the command injection, such as one that prints environment variables or exfiltrates the GitHub token. This will demonstrate how user-controlled input can be injected and executed, exploiting the vulnerability.

Remediation

Users can update to Meshtastic version 2.6.6 or later, where this vulnerability has been fixed.