Vercel AI OS Command Injection Vulnerability in GitHub Actions Workflow

A command injection vulnerability has been identified in the Vercel AI package, specifically in versions up to 3.0.97. The issue arises within the GitHub Actions workflow file '.github/workflows/prettier-on-automerge.yml', in a function that interpolates pull request branch names directly into a bash script. This unsanitized interpolation allows attackers to execute arbitrary commands in the GitHub Actions runner environment, potentially leading to unauthorized changes in the repository and exposure of sensitive credentials. The vulnerability can be exploited remotely, but requires a high level of complexity.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the GitHub Actions runner environment, with the potential to access and misuse GitHub deployment tokens and application privileges, leading to unauthorized modifications in the repository and interception of CI/CD deployments.

Reproduction

The vulnerability can be reproduced by creating a pull request that includes a crafted branch name payload. This payload should exploit the direct string interpolation in the 'prettier-on-automerge.yml' workflow, bypassing normal Git branch name restrictions. Once the pull request is merged, the injected command will be executed in the GitHub Actions runner, demonstrating the command injection vulnerability.

Remediation

To address this vulnerability, update the 'prettier-on-automerge.yml' workflow to use intermediate environment variables for dynamic inputs instead of direct string interpolation. This change will prevent attacker-controlled data from being executed as code in the bash script.