Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository, Exposing CI/CD Pipeline to Unauthorized Code Execution

Tenable Research has identified a critical vulnerability (CVSSv4 9.3) in a Microsoft GitHub repository that allowed for Remote Code Execution (RCE) and unauthorized access to repository secrets. This disclosure highlights that CI/CD infrastructure is a critical part of a modern attack surface.

The discovery involves a vulnerable GitHub workflow, [GitHub’s automation scripts using one or more jobs using GitHub Actions] within the Windows-driver-samples repository. This repository, which has been forked 5,000 times and has 7,700 stars, represents a significant point of interaction for developers. Tenable researchers demonstrated how the repository’s CI/CD infrastructure could be exploited to compromise the software supply chain

The “Trivial” Exploit Path

The vulnerability stems from a simple Python string injection flaw. Attackers could exploit this through the following steps:

• Issue Creation: An attacker opens a GitHub issue, which is a feature available to any registered user.
• Malicious Injection: The ...