skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
December 8, 2021

GHSL-2021-1032: Unauthorized repository modification or secrets exfiltration from a Pull Request in Solana GitHub workflow

GitHub Security Lab

Coordinated Disclosure Timeline


Explorer GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.



Tested Version

Commit 968aafd (2021-10-25).


Issue 1: Unauthorized modification of the base repository or secrets exfiltration from a Pull Request (GHSL-2021-1032)

The pull_request_target used in Explorer GitHub workflow explicitly checks out potentially untrusted code from a pull request and runs it.

     - master
      - 'explorer/**'
      - uses: actions/checkout@v2
          ref: ${{ github.event.pull_request.head.sha }}
      - run: npm i -g npm@7
      - run: npm ci
      - run: npm run format
      - run: npm run build
      - run: npm run test

By explicitly checking out and running a build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets. See Preventing pwn requests for more information.

A malicious user could create a pull request with a modified explorer/package.json command.


The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

While the workflow file looks like it’s under heavy development, please note that the window of opportunity for possible attacks was open between Oct 19, 2021, 9:51 PM GMT+3 - Oct 21, 2021, 10:10 AM GMT+3, Oct 22, 2021, 11:42 PM GMT+3 - Oct 22, 2021, 11:52 PM GMT+3 and Oct 23, 2021, 11:09 AM GMT+3 - Oct 25, 2021, 11:13 AM GMT+3 at the time of writing.


This issue was discovered and reported by GitHub team member @p0 (Pavel Avgustinov).


You can contact the GHSL team at, please include a reference to GHSL-2021-1032 in any communication regarding this issue.