CVE-2025-53546

RSSNext · Folo

RSSNext Folo is vulnerable to remote code execution via insecure GitHub Actions workflow configuration using pull_request_target.

Executive summary

An insecure GitHub Actions workflow configuration in RSSNext Folo allows unauthenticated attackers to execute arbitrary code, posing a critical risk to the development environment.

Vulnerability

This vulnerability involves the inclusion of functionality from an untrusted control sphere (CWE-829). By utilizing pull_request_target in the auto-fix-lint-format-commit.yml workflow, the application improperly executes untrusted code submitted via pull requests.

Business impact

With a CVSS score of 9.1, this vulnerability represents a critical risk. Successful exploitation could lead to full compromise of the GitHub repository, potential exfiltration of secrets, or the introduction of malicious code into the software supply chain, resulting in severe reputational damage and operational disruption.

Remediation

Immediate Action: Update the RSSNext Folo repository to the commit hash 585c6a591440cd39f92374230ac5d65d7dd23d6a or later to secure the workflow configuration.

Proactive Monitoring: Audit GitHub repository workflows for usage of pull_request_target and monitor CI/CD logs for unexpected execution patterns or unauthorized modifications.

Compensating Controls: Restrict GitHub Actions permissions to the minimum necessary level and implement branch protection rules that require manual approval for workflows triggered by external contributors.

Exploitation status

Public Exploit Available: Yes

Analyst recommendation

Due to the critical severity and the availability of exploit code, immediate remediation is mandatory. Developers must apply the referenced commit and review all CI/CD pipeline configurations to ensure that untrusted input cannot trigger privileged execution environments.