Coordinated Disclosure Timeline

Summary

A code injection vulnerability was identified in the GitHub Actions workflow migrator.yml of the ansys/pymapdl project on the latest main branch, enabling potential attackers to execute arbitrary code with privileged context and leak repository secrets. This could lead to unauthorized access, exposure of sensitive information, and further exploitation.

Project

ansys/pymapdl

Tested Version

latest main branch

Details

Code injection in Github Actions migrator.yml with privileged context and secret leak (GHSL-2025-091)

Vulnerability Analysis

The GitHub action at .github/workflows/migrator.yml:93 executes user input from a comment body in the github-script action. Specifically, the following line contains the potential vulnerability:

commentBody = `${{ github.event.comment.body }}`;

The action is triggered by a user-controlled trigger (issue_comment), which means an attacker can initiate this workflow by adding comments to issues.

The workflow runs with elevated permissions, specifically: In Line 57, it grants write permission to contents

The workflow uses several sensitive secrets that could potentially be leaked:

For example, in Line 74, it uses PYANSYS_CI_BOT_TOKEN

The workflow is triggered by issue_comment (Line 29-30) which is a user-controlled trigger, making it possible for attackers to trigger this workflow by creating comments on issues.

Impact

This issue may lead to code execution with high privileges and secret exfiltration.

Credit

This issue was discovered by CodeQL and an AI agent developed by the GitHub Security Lab and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-091 in any communication regarding this issue.