Résumé
Poisoned Pipeline Execution is the class of attack in which an actor with write access to source control, but no direct access to the build environment, injects attacker-controlled commands that the CI pipeline then executes with its own privileges, secrets, and tokens. Direct PPE (D-PPE) modifies the CI configuration file itself (for example .github/workflows, .gitlab-ci.yml, or a Jenkinsfile) by pushing to an unprotected branch or opening a pull request, so the new pipeline steps run on trigger. Indirect PPE (I-PPE) instead poisons files the pipeline already references, such as a Makefile, test harness, build script, or linter config, when the config is protected but the referenced code is not. Public PPE (3PE) abuses public and open-source repositories that run unreviewed code from anonymous fork pull requests, frequently via the dangerous pull_request_target trigger that grants the fork workflow access to repository secrets. The pattern is catalogued as CICD-SEC-4 in the OWASP Top 10 CI/CD Security Risks (published September 2022) and in Cider/Legit Security research, with real cases including public-repo PPE in popular projects and GitHub Actions workflows abused for cryptocurrency mining.
Comment l’éviter dans votre code
- Require review approval before any workflow runs on fork or external-contributor pull requests; never auto-run unreviewed code.
- Avoid pull_request_target with a checkout of the untrusted PR head; never expose secrets to fork-triggered workflows.
- Protect branches and the CI config path; mandate reviews and signed commits for pipeline-definition changes.
- Run untrusted-PR builds on isolated, secret-less, least-privilege runners with restricted egress.
- Pin and integrity-check the build scripts, Makefiles, and dependencies the pipeline executes.
Références
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://github.com/cider-security-research/top-10-cicd-security-risks/blob/main/Risks/CICD-SEC-04-Poisoned-Pipeline-Execution.md
- https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4
Vulnérabilités liées
Tout Supply chain →- HIGHGHSA-7QW2-W5RC-37X2
PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml
- HIGHSC-GHA-SCRIPT-INJECTION-2020
GitHub Security Lab documented (initial guidance August 20, 2020, updated since) a widespread GitHub Actions vulnerability class in which attacker-controlled event fields interpolated into run shell steps cause command execution. Because expressions in double-brace syntax are evaluated and substituted into the temporary shell script before the runner executes it, embedding an untrusted field such as github.event.issue.title or github.event.pull_request.head_ref directly in a run block lets the attacker break out of the intended command. An attacker who simply opens an issue or PR with a title containing a quote and a shell payload (for example a backtick command-substitution or a semicolon-curl sequence) executes arbitrary commands on the runner, reading environment variables and exfiltrating GITHUB_TOKEN and repository secrets to an external host. This is expression/script injection via untrusted github.event input, found across a large number of public-repo workflows. The fix is to never interpolate untrusted context into a shell; pass it through an intermediate quoted environment variable so it is treated as data, not script.
- CRITICALGHSA-4H5R-5JM8-JXJM
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
- HIGHGHSA-5CJ2-3JR2-5H77
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
- LOWGHSA-CWPP-5962-Q4F6
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers
- CRITICALGHSA-R253-R9JW-QG44
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args