A critical CI/CD workflow vulnerability in the Jellyfin iOS repository allows unauthenticated attackers to execute arbitrary code, threatening the integrity of the Apple App Store supply chain.

The code-quality.yml GitHub Actions workflow improperly handles pull requests from forked repositories. Due to excessive write permissions, an unauthenticated attacker can execute arbitrary code during the CI process, leading to the exfiltration of secrets and the potential poisoning of App Store releases and container registries.

This vulnerability represents a high-impact supply chain risk. A successful exploit could allow an attacker to compromise the entire Jellyfin organization, inject malicious code into official iOS app releases, and exfiltrate highly privileged credentials. The CVSS score of 10 reflects the absolute severity of a potential repository and organization takeover.

Immediate Action: No action is required from end users; the Jellyfin maintainers must secure the GitHub Actions workflows by following the principle of least privilege and restricting fork-based triggers.

Proactive Monitoring: Maintainers should audit GitHub Actions logs for suspicious pull request activity and rotate any secrets that may have been exposed during the vulnerable period.

Compensating Controls: Organizations should implement mandatory code review for all CI/CD configuration changes and utilize GitHub's "Require approval for all outside collaborators" setting.

Public Exploit Available: false

While end users are not required to take action, this incident highlights the critical importance of CI/CD security. Development teams must ensure that GitHub Actions workflows triggered by external contributors do not have access to sensitive secrets or write permissions.