Impact
KanaDojo contains a command injection flaw that lets an attacker with pull request access insert shell metacharacters into the version or changes fields of patchNotesData.json. These fields are unsanitized interpolation into a child_process.execSync() call within the release.yml workflow, allowing execution of arbitrary shell commands. If a malicious pull request is merged, the GitHub Actions runner triggers with the repository permissions and the GITHUB_TOKEN, effectively giving the attacker full control of the runner environment and potential compromise of the repository and host infrastructure.
Affected Systems
The vulnerable products are versions of KanaDojo from the vendor lingdojo that are below 0.1.18. The flaw resides in the release.yml workflow that processes patchNotesData.json, affecting any repository using KanaDojo without an up‑to‑date version.
Risk and Exploitability
The CVSS score of 8.5 reflects high severity. While the EPSS score is not listed, the vulnerability requires only pull‑request rights, which many contributors possess. An attacker can exploit the flaw by crafting a PR that injects malicious shell commands, merging it, and executing arbitrary code during the CI run. The issue is not currently listed in CISA KEV, but its impact and the low effort required to trigger mean the risk remains high if the CI workflow runs with write permissions and an unrestricted GITHUB_TOKEN.
OpenCVE Enrichment