Critical Vulnerability in Claude Code GitHub Action Allows Repository Takeover
A significant security flaw has been identified in Anthropic’s Claude Code GitHub Action, enabling attackers to hijack public repositories by merely opening a single GitHub issue. This vulnerability posed a substantial risk, especially since Anthropic’s own action repository utilized the same workflow, potentially allowing malicious code to propagate to downstream projects.
Discovery and Reporting
Security researcher RyotaK from GMO Flatt Security discovered the vulnerability and reported it to Anthropic in January. Anthropic responded promptly, addressing the core issue within four days and implementing further security enhancements over the following months. The fixes are incorporated in claude-code-action version 1.0.94. Anthropic assessed the vulnerability with a CVSS v4.0 score of 7.8 and awarded a bug bounty to RyotaK for the discovery.
Functionality and Permissions of Claude Code GitHub Action
Claude Code GitHub Actions integrate Anthropic’s AI assistant, Claude, into Continuous Integration/Continuous Deployment (CI/CD) pipelines. This integration automates tasks such as issue triaging, labeling, pull request reviews, and executing slash commands. By default, the workflow is granted read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. Due to these extensive permissions, the action is designed to restrict triggers to users with write access.
Exploitation of the Vulnerability
The vulnerability stemmed from a flaw in the trigger check mechanism. The system erroneously allowed any actor with a username ending in [bot] to trigger actions, under the assumption that such accounts were trusted GitHub Apps installed by repository administrators. However, this oversight permitted any individual to register a GitHub App, install it on their repository, and use its token to open issues or pull requests on any public repository. The action misidentified these as legitimate bots, allowing the attacker’s content to pass through.
Once this initial barrier was bypassed, attackers could employ indirect prompt injection. By crafting an issue that appeared as an error message, they could manipulate Claude into executing embedded commands. A primary target was the /proc/self/environ file, which contains a process’s environment variables, including sensitive secrets. Although Claude Code had measures to block straightforward reads of this file, RyotaK devised a method to circumvent these protections, enabling the extraction of environment variables.
Among the extracted data were credentials used by GitHub Actions to request an OpenID Connect (OIDC) token. This token verifies the identity of the workflow running in the repository. Claude Code exchanges this token with Anthropic’s backend to obtain a Claude GitHub App installation token with write access. By stealing these credentials and replaying the exchange, an attacker could gain write access to the target repository’s code, issues, and workflows. If directed at the claude-code-action repository itself, this could result in the distribution of malicious code to downstream projects.
Additional Vulnerabilities
RyotaK also identified a less complex attack vector that did not require exploiting the bot mechanism. Anthropic’s example issue-triage workflow included a setting, allowed_non_write_users: ”, which permitted any user to trigger the action. Anthropic’s documentation already highlighted the risks associated with this configuration. Compounding the issue, Claude was posting task summaries to the workflow run’s publicly visible summary panel, inadvertently exposing sensitive data. Many repositories that adopted this example inherited these vulnerabilities.
Another potential attack involved an adversary with the ability to edit issues but lacking the capability to trigger Claude directly. By modifying a trusted user’s issue after it had initiated the workflow but before Claude processed it, the attacker could inject malicious content that would be treated as trusted input.
Recommendations and Mitigation
To mitigate these risks, users are advised to update to claude-code-action version 1.0.94 or later. Additionally, it’s crucial to audit workflows that allow triggers from users without write access or from bots. If such workflows process untrusted input, they should be configured to avoid exposing any secrets beyond the Anthropic API key and GITHUB_TOKEN. Furthermore, tools and permissions that could facilitate data exfiltration should be removed to enhance security.
Conclusion
This incident underscores the importance of rigorous security practices in CI/CD pipelines and the potential risks associated with automated actions. By promptly addressing the vulnerability and implementing robust security measures, Anthropic has demonstrated a commitment to safeguarding its users and the broader open-source community.
