Eden Ross Duff, MSc, DDiv

1 exploit Active since May 2025
CVE-2025-47271 WRITEUP MEDIUM WRITEUP
OZI-Project/publish 1.13.2-1.13.5 - Remote Code Execution via Branch Name Injection
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.