EUVD-2026-32908CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.
AnalysisAI
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: audit all GitHub workflows using shared-github-dangerjs and enumerate affected repositories; immediately discontinue use of the action or restrict pull_request_target workflows to run only on commits from protected branches (disable for pull_request events from forks). Within 7 days: evaluate alternative security tools for dependency checking (Dependabot, Snyk, or equivalent) and implement job-level GITHUB_TOKEN permissions (permissions.contents: read, permissions.pull-requests: read) to limit attack surface on remaining workflows. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today