OWASP BLT versions prior to 2.1.2 contain a workflow definition that uses the GitHub Actions trigger pull_request_target, which runs with the repository’s privileges. The workflow file pre-commit-fix.yaml checks out and executes code directly from any forked repository, allowing an attacker who owns a fork, but only has write access to the default branch, to inject malicious code into the workflow runtime. This flaw provides attackers the ability to run arbitrary commands on the workflow runner and compromise the entire CI environment, leading to full system control, data theft, and deployment of malware. The weakness is an unchecked code execution path (CWE‑94) with an uncontrolled remote execution source (CWE‑95).

The vulnerability applies to the OWASP-BLT project named BLT in versions earlier than 2.1.2. No specific patch versions are supplied beyond the corrective release 2.1.2; systems using the earlier workflow configuration are at risk.

The CVSS score of 8.8 demonstrates a high severity for this flaw, and the lack of an EPSS score means the exact exploit probability is unknown, though the high CVSS indicates a serious risk. The issue is not yet listed in the CISA KEV catalog. Based on the description, the most likely attack vector is a pull request to a fork of the repository that triggers the privileged workflow; the attacker must have write access to the fork to add malicious code. Once triggered, the workflow runner will execute the injected code with repository permissions, enabling remote code execution.