Skip to content

Security PoC: pull_request_target code execution#3646

Closed
orihamama wants to merge 1 commit intogithub:mainfrom
orihamama:security-poc-gh005
Closed

Security PoC: pull_request_target code execution#3646
orihamama wants to merge 1 commit intogithub:mainfrom
orihamama:security-poc-gh005

Conversation

@orihamama
Copy link
Copy Markdown

@orihamama orihamama commented Apr 26, 2026

Security Research — Coordinated Disclosure

This PR demonstrates a security vulnerability in the jekyll-preview.yml workflow.

Issue: The workflow uses pull_request_target and checks out the PR author's fork code, then builds Jekyll from it. Jekyll plugins in _plugins/ execute arbitrary Ruby during the build.

Impact: Any GitHub user can achieve code execution on the runner with pages:write and id-token:write permissions.

This PR contains a benign PoC that only prints environment info (no destructive actions, no secret exfiltration).

I will be submitting a full report to GitHub's HackerOne bug bounty program.

@orihamama

@orihamama orihamama requested a review from a team as a code owner April 26, 2026 17:46
@ahpook ahpook closed this Apr 29, 2026
@github github locked as spam and limited conversation to collaborators Apr 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orihamama @ahpook