CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-42471: Arbitrary File Write via artifact extraction in actions/artifact

7.3 CVSS

Description

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

Classification

CVE ID: CVE-2024-42471

CVSS Base Severity: HIGH

CVSS Base Score: 7.3

Affected Products

Vendor: actions

Product: toolkit

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 24.27% (scored less or equal to compared to others)

EPSS Date: 2025-02-20 (when was this score calculated)

References

https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3
https://github.com/actions/toolkit/pull/1666
https://snyk.io/research/zip-slip-vulnerability

Timeline

2025-01-23 00:30:19 UTC
CVE

Arbitrary File Write via artifact extraction in actions/artifact