CVE-2025-53546

| EUVD-2025-20825 CRITICAL
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2025-07-09 [email protected]
Information Disclosure
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:51 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
585c6a591440cd39f92374230ac5d65d7dd23d6a
Analysis Generated
Mar 16, 2026 - 06:20 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 06:20 euvd
EUVD-2025-20825
CVE Published
Jul 09, 2025 - 15:15 nvd
CRITICAL 9.1

DescriptionNVD

Folo organizes feeds content into one timeline. Using pull_request_target on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate GITHUB_TOKEN which has high privileges. GITHUB_TOKEN can be used to completely overtake the repo since the token has content write privileges. This vulnerability is fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a.

AnalysisAI

CVE-2025-53546 is a security vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 9.1 indicates critical severity with likely remote exploitation vector.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2025-53546 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy