Black GitHub Action Vulnerability in Version Parsing Leading to Remote Code Execution

A vulnerability in the Black Python code formatter's GitHub Action allows for arbitrary code execution. This issue arises from the action's version parsing when the 'use_pyproject' option is enabled. Malicious pull requests can exploit this by directing the action to a harmful repository, potentially accessing sensitive secrets or permissions within the action's context. The vulnerability affects Black versions prior to 26.3.0.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution within the GitHub Action, allowing attackers to access secrets or permissions available in that context.

Remediation

Users should upgrade to Black version 26.3.0, which addresses the vulnerability by improving the validation of the 'version' field. This update is automatically applied when the GitHub Action is used as 'psf/black@stable'. For those using 'psf/black' with 'use_pyproject: true', it's recommended to disable this option or explicitly set the version to avoid potential exploitation.