CVE-2024-42471

HIGH

actions/artifact <2.1.2 - Path Traversal

Title source: llm

Description

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

Exploits (2)

exploitdb WORKING POC

by cybersploit · pythonlocalnodejs

https://www.exploit-db.com/exploits/52276

View Code ZIP pw:eip

nomisec WORKING POC

by theMcSam · poc

https://github.com/theMcSam/CVE-2024-42471-PoC

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3

[Not Applicable] https://snyk.io/research/zip-slip-vulnerability

[Issue Tracking] https://github.com/actions/toolkit/pull/1666

Scores

CVSS v3 7.3

EPSS 0.0771

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-22

Status published

Products (3)

actions/artifact 2.0.0 - 2.1.2npm

github/actions\/artifact 2.0.0 - 2.1.7

github/actions_toolkit

Published Sep 02, 2024

Tracked Since Feb 18, 2026