skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
June 16, 2023

GHSL-2023-106: Actions command injection in a new issue workflow of textualize/rich

Jorge Rosillo

Coordinated Disclosure Timeline


The textualize/rich repository is vulnerable to a command injection in Actions.



Tested Version



Actions command injection in newissue.yml (GHSL-2023-106)

The newissue.yml workflow is triggered on issues [created] (i.e., when an Issue is created). Therefore, this workflow runs the following step with data controlled by said Issue (${{ github.event.issue.title }} – the title of the Issue), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets and altering the repository).

- name: Run Suggest
  run: faqtory suggest "${{ github.event.issue.title }}" >

This issue was found by the Expression injection in Actions CodeQL query.

Proof of Concept

  1. Open an Issue against textualize/rich with the title "; echo "hello";#.
  2. Check the workflow runs for the new Actions run that will execute the command echo "hello".


This issue may lead to stealing workflow secrets and alteration of the repository.



This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2023-106 in any communication regarding this issue.