CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-47271: OZI-Project/ozi-publish Code Injection vulnerability

6.3 CVSS

Description

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

Classification

CVE ID: CVE-2025-47271

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-1116: Inaccurate Comments

Affected Products

Vendor: OZI-Project

Product: publish

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.09% (scored less or equal to compared to others)

EPSS Date: 2025-06-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47271
https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9
https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c

Timeline

2025-05-12 11:40:17 UTC
CVE

OZI-Project/ozi-publish Code Injection vulnerability
2025-05-12 20:15:49 UTC
Github Advisory Database (Actions)

[OZI-Project/publish] OZI-Project/ozi-publish Code Injection vulnerability