→ Back to Home
GitHub Actions

Critical Command Injection Vulnerability Discovered in `setup-php` GitHub Action

A critical command injection vulnerability, identified as CVE-2026-46420, has been discovered in the `shivammathur/setup-php` GitHub Action. This flaw affects versions from 2.25.0 up to, but not including, 2.37.1. The vulnerability stems from insufficient input validation when the action processes PHP version specifications from repository-controlled configuration files, such as `.php-version`, `composer.lock`, and `composer.json`. The action's design inherently trusts these inputs without adequate sanitization, allowing malicious actors to inject arbitrary commands into dynamically generated shell or PowerShell scripts executed on the GitHub Actions runner. This vulnerability is highly significant for any organization utilizing the affected `setup-php` action within their GitHub Actions workflows. The primary concern is the potential for complete compromise of the GitHub Actions runner environment. If a workflow, particularly one triggered by `pull_request_target` with elevated privileges, checks out attacker-controlled content before invoking `setup-php`, an attacker could exploit this to exfiltrate sensitive data, access secrets stored in the runner, or establish persistent backdoors within the CI/CD pipeline. This directly impacts software supply chain security, as compromised build environments can lead to the injection of malicious code into production artifacts. This incident fits into a broader, well-established trend in cloud and DevOps security: the increasing focus on software supply chain attacks. As organizations adopt CI/CD pipelines and rely heavily on third-party actions and dependencies, the attack surface expands. Recent years have seen numerous high-profile supply chain compromises, emphasizing that vulnerabilities in seemingly innocuous components can have far-reaching consequences. The shift towards 'shift-left' security practices, where security is integrated earlier in the development lifecycle, is a direct response to such threats. The need for robust input validation, secure-by-default configurations, and diligent dependency management is paramount in this evolving threat landscape. In practice, practitioners must prioritize immediate action. The most crucial step is to upgrade all instances of `shivammathur/setup-php` to version 2.37.1 or later. Organizations should also conduct an audit of their existing workflows to identify any instances where `pull_request_target` workflows might be checking out untrusted code with elevated permissions. Implementing stricter input sanitization and validation for all external inputs, along with adopting a policy of pinning GitHub Actions to specific commit SHAs rather than mutable tags, are essential best practices. Furthermore, organizations should review their secret management strategies to ensure secrets are scoped as narrowly as possible and not broadly exposed to potentially compromised runners. This event serves as a stark reminder that continuous vigilance and proactive security measures are indispensable for maintaining the integrity of modern software delivery pipelines.
#github actions#security#vulnerability#supply chain#php#ci/cd
Read original source