216.73.216.86

CVE-2025-47271

· Published 12/05/2025 11:15 · Modified 12/05/2025 17:32

Labels: CVE-2025-47271 2025-05-12CVE-2025-47271CWE-94[email protected]

Essential information

Published
12/05/2025 11:15
Modified
12/05/2025 17:32
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
github / ozi action cpe:2.3:a:github:ozi_action:1.13.2-1.13.5:*:*:*:*:*:*:*
github / ozi action cpe:2.3:a:github:ozi_action:1.13.6:*:*:*:*:*:*:*

References