Impact
Super‑linter, the multi‑linter GitHub Action, contains a command injection flaw in its file discovery logic. Versions 6.0.0 through 8.3.0 of the action will execute shell command substitution strings embedded in filenames. When an attacker submits a pull request that introduces a file whose name contains syntax such as $(...), the action’s runtime scripts may run the embedded command during discovery, enabling arbitrary code execution in the workflow runner environment. This results in a full compromise of the job’s context and can expose secrets such as the GITHUB_TOKEN. Based on the description, it is inferred that the attacker, after gaining execution, could read, modify, or delete any resource within the runner’s execution scope.
Affected Systems
All users employing the Super‑linter GitHub Action in their workflows with versions 6.0.0 through 8.3.0 are affected. The issue resides in the open‑source action itself, not in individual repositories, so any project that declares the action as a dependency is at risk. Projects that include unversioned or outdated references to Super‑linter must update to a fixed release.
Risk and Exploitability
The flaw carries a CVSS score of 8.8, indicating a high severity, and an EPSS score of 1% suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector involves a pull request that introduces a file whose name contains command‑substitution syntax such as $(...), which the action processes during file discovery and can execute in the workflow runner context. The impact is limited to the workflow runner if the job’s GITHUB_TOKEN is granted broad permissions; if restricted, the attacker could still gain execution within that constrained environment.
OpenCVE Enrichment
Github GHSA