CVE-2025-47271
Description
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-47271? +
How do I check if I'm vulnerable to CVE-2025-47271? +
Related Vulnerabilities
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including …
A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default …
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types …
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment …
An error related to the 2-factor authorization (2FA) on the RISC Platform prior to the saas-2021-12-29 release can potentially be …
An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow …