Skip to main content

Espressif shared-github-dangerjs CVE-2026-44358

| EUVDEUVD-2026-32908 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-28 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 28, 2026 - 17:01 EUVD
Source Code Evidence Fetched
May 28, 2026 - 15:52 vuln.today
Analysis Generated
May 28, 2026 - 15:52 vuln.today

DescriptionGitHub Advisory

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.

AnalysisAI

Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability is a CWE-427 (Uncontrolled Search Path Element) flaw in entrypoint.sh of the reusable Espressif DangerJS GitHub Action (CPE cpe:2.3:a:espressif:shared-github-dangerjs). The action ran npx danger ci from the caller's workspace after the fork's checkout had been copied into it; because npx resolves binaries relative to the current working directory's node_modules/.bin and Node.js resolves modules from the nearest node_modules tree, a fork PR could supply both a malicious danger binary and arbitrary modules that Node would load in preference to the action's intended code. The danger here is amplified by the pull_request_target trigger, which runs with the base repository's secrets and a privileged GITHUB_TOKEN, unlike the safer pull_request trigger.

RemediationAI

Vendor-released patch: 1.0.1, which invokes danger via the absolute path /node_modules/.bin/danger and runs rm -rf /github/workspace/node_modules before execution to neutralize fork-supplied modules; upgrade by bumping the uses: reference in calling workflows to espressif/shared-github-dangerjs@1.0.1 (or, preferably, pin to the fix commit SHA d7424080) per the advisory at https://github.com/espressif/shared-github-dangerjs/security/advisories/GHSA-wm3p-pv54-6w73. If immediate upgrade is not possible, switch the calling workflow's trigger from pull_request_target to pull_request so secrets and write-scoped tokens are not exposed to fork code (trade-off: the workflow will no longer be able to post Danger comments back to the PR), or gate the job behind an if: github.event.pull_request.head.repo.full_name == github.repository check to skip fork PRs entirely (trade-off: forks receive no Danger feedback). Avoid relying on permissions: read-all alone, since the underlying hijack still executes attacker code in the runner.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-44358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy