Coordinated Disclosure Timeline

• 2025-08-11: Report sent via email.
• 2025-12-16: Fixed in commit

Summary

PraisonAI repository was vulnerable to code injection in the claude-code-action GitHub Actions workflow (GHSL-2025-093).

Project

PraisonAI

Tested Version

The latest changeset at the moment of review

Details

Code injection in GitHub Actions claude-code-action (GHSL-2025-093)

A code injection vulnerability was identified in the reusable action .github/actions/claude-code-action/action.yml. At line 145, the action directly evaluates user-controlled input from an issue body:

ISSUE_BODY="${{ github.event.issue.body }}"

The same is also true for github.event.issue.title on line 146:

ISSUE_TITLE="${{ github.event.issue.title }}"

Vulnerable Action Details

The reusable action .github/actions/claude-code-action/action.yml is used in the reusable action .github/actions/claude-issue-triage-action/action.yml:

uses: ./.github/actions/claude-code-action

The claude-issue-triage-action itself is used by the claude-issue-triage workflow at line 20:

uses: ./.github/actions/claude-issue-triage-action

The claude-issue-triage workflow is triggered by following user-controlled event:

• issues (line 5)

The workflow has access to the ANTHROPIC_API_KEY secret.

Impact

This issue may lead to code execution with high privileges and secret exfiltration.

Credit

This issue was discovered by CodeQL and the GitHub Security Lab Taskflow Agent and verified and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-093 in any communication regarding this issue.