DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25761: Shell Hell in Super-Linter: CVE-2026-25761

#security #cve #cybersecurity

Shell Hell in Super-Linter: CVE-2026-25761

Vulnerability ID: CVE-2026-25761
CVSS Score: 8.8
Published: 2026-02-09

Super-linter, the popular 'one-linter-to-rule-them-all' GitHub Action, contained a critical Command Injection vulnerability (CVE-2026-25761) in versions prior to 8.3.1. The flaw resided in the orchestration scripts responsible for discovering changed files in a Pull Request. By crafting a malicious filename containing shell metacharacters—specifically command substitutions like $(...)—an attacker could trick the runner into executing arbitrary code. This allows for exfiltration of secrets, modification of the repository, or lateral movement within the CI/CD pipeline.

TL;DR

A critical OS Command Injection vulnerability in Super-linter allows attackers to execute code via malicious filenames in Pull Requests. Upgrading to version 8.3.1 is mandatory.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-77 (Improper Neutralization of Special Elements used in a Command)
  • Attack Vector: Network (via Pull Request)
  • CVSS Score: 8.8 (High)
  • Impact: Remote Code Execution (RCE) / Secret Exfiltration
  • Exploit Status: PoC Available (Trivial to construct)
  • Affected Versions: >= 6.0.0, < 8.3.1

Affected Systems

  • GitHub Actions Runners
  • Super-linter container environment
  • super-linter/super-linter: >= 6.0.0, < 8.3.1 (Fixed in: 8.3.1)

Code Analysis

Commit: d29d0d4

Fix command injection by replacing eval/xargs with sed/mapfile

- DIFF_GIT_VALIDATE_ALL_CODEBASE="git ... | xargs ... eval ..."
+ LIST_OF_FILES_IN_REPO=$(git ... | sed ...)
+ mapfile -t RAW_FILE_ARRAY <<<"${LIST_OF_FILES_IN_REPO}"
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical PoC: Creating a file named '$(command).ext' triggers execution during file discovery.

Mitigation Strategies

  • Input Sanitization: Treat filenames as untrusted input.
  • Avoid eval: Replace eval/xargs constructs with native Bash arrays and loops.
  • Privilege Reduction: Ensure CI tokens have the minimum required permissions (read-only where possible).

Remediation Steps:

  1. Update the GitHub Action version to v8.3.1 or newer in all workflow YAML files.
  2. Audit previous workflow runs for unexpected failure logs or network connections.
  3. Rotate any secrets (GITHUB_TOKEN, AWS keys) that were exposed to the runner environment if a breach is suspected.

References

Read the full report for CVE-2026-25761 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)