Jellyfin Jellyfin-iOS GitHub Actions Workflow Vulnerability Allowing Arbitrary Code Execution and Repository Takeover

A vulnerability has been identified in the GitHub Actions workflow 'code-quality.yml' of the Jellyfin iOS repository. This issue allows for arbitrary code execution through pull requests from forked repositories. The vulnerability arises from the workflow's elevated permissions, which include nearly all write capabilities. Exploiting this flaw could lead to a complete takeover of the Jellyfin iOS repository, unauthorized access to highly privileged secrets such as the JF_BOT_TOKEN and App Store Connect API credentials, and the ability to push malicious updates to iOS apps via an Apple App Store supply chain attack. Additionally, it could result in GitHub Container Registry package poisoning and a full compromise of the Jellyfin organization through cross-repository token usage.

Impact

Exploitation of this vulnerability could lead to a full takeover of the Jellyfin iOS repository, unauthorized access to sensitive secrets, a compromise of the Jellyfin organization, and the ability to push malicious updates to iOS apps via the Apple App Store.

Reproduction

The vulnerability can be reproduced by creating a pull request from a forked repository into the Jellyfin iOS repository. The 'code-quality.yml' workflow will execute with elevated permissions, allowing for arbitrary code execution.

Remediation

The CI workflows have been updated in all affected repositories, and the compromised secrets have been rotated.