skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-185: Arbitrary code execution in Plugins Verified by Homebridge workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The ‘plugin-prechecks.yml’ GitHub workflow is vulnerable to arbitrary code execution, that may lead to the repository being compromised.


homebridge/verified GitHub repository

Tested Version

plugin-prechecks.yml from the master branch.


Issue: The tested npm package may use the temporary GitHub authorization token to make arbitrary changes in the repository

When a user creates a public issue or comments on an existing issue with /check it automatically starts the plugin-prechecks.yml GitHub workflow. The body of the issue is used in the custom precheck action.

    const matches = issueBody.split('\n')
      .map((line) => {
        const match = line ? line.match(/(https?:\/\/.[^ ]*)/gi) : null
        if (match) {
          return match.find((x) => x.includes(''));
      .filter((m) => m)
      .map((x) => {
        const pluginName = x.split('/').splice(4).join('/').replace(/[^a-zA-Z0-9@\\/-]/g, '');
        return pluginName;
      const proc = child_process.spawn('npm', ['install', this.packageName], {
        cwd: this.testPath,


Since npm install also executes post install scripts from the package this leads to arbitrary code execution of untrusted npm packages in the context of a GitHub action runner. It makes a temporary GitHub repository token available to the potentially malicious code which can be used to modify the repository content or run any malicious code in the hosted environment.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-185 in any communication regarding this issue.