SC-GHA-CACHE-POISON-2024
CI/CD · GitHub Actions · GitHub Actions cache poisoning
Summary
GitHub Actions cache poisoning abuses the fact that the Actions cache is shared across a repository's branches and is not integrity-validated against the producer, so a low-privileged context can plant a payload that a trusted context later restores and executes. Cache entries are keyed and versioned only by client-side computation, the branch-scoping boundary is not enforced server-side, and the restore step extracts the cached tarball without verifying that the restored files match what was originally cached. An attacker who gains code execution on a fork or low-privilege branch (commonly via script injection through untrusted inputs like github.head_ref in a pull_request_target workflow) writes a malicious entry under a key that a higher-privilege workflow on a protected branch will restore, gaining code execution in the trusted context and access to its secrets. The runtime cache token remaining valid after job completion and the per-repo eviction limit widen the window, letting the attacker evict legitimate entries and substitute poisoned ones. Adnan Khan documented the class on May 6, 2024 and built the Cacheract tool, with confirmed findings in projects including angular/components, mdn/content, hyperledger/besu and a later full chain in angular/dev-infra that exposed an admin-scoped GitHub App token.
How to avoid it in your code
- Treat the cache as untrusted input; verify artifact integrity (checksums/signatures) before using restored caches.
- Do not let untrusted fork or PR workflows write to caches shared with protected branches.
- Avoid script injection: never interpolate github.head_ref or other untrusted inputs into run steps.
- Restrict GITHUB_TOKEN to read-only and remove actions:write where cache writes are not required.
- Isolate or namespace caches per trust boundary and rebuild release dependencies from scratch.
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-MQXH-6GQ7-558M
Pi Agent: Pi loads project-local extensions without approval
- MEDIUMGHSA-RV63-4MWF-QQC2
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
- CRITICALNPM-SHAI-HULUD-2-2025
A renewed wave of the Shai-Hulud worm, dubbed Shai-Hulud 2.0 or 'The Second Coming', began around November 21-24, 2025 and affected tens of thousands of GitHub repositories across roughly 350 unique users. The variant moved execution to the pre-install phase, dropped large heavily obfuscated payloads (setup_bun.js and bun_environment.js), and exfiltrated stolen secrets to public GitHub repositories described as 'Sha1-Hulud: The Second Coming'. As an aggressive fallback, it attempted to destroy the victim's entire home directory if credential theft failed.
- CRITICALNPM-SHAI-HULUD-2025
Shai-Hulud was the first self-replicating worm to hit the npm ecosystem, disclosed around September 15, 2025. Beginning with the compromise of @ctrl/tinycolor (over 2 million weekly downloads), the malware harvested developer credentials (npm tokens, GitHub PATs, and AWS/GCP/Azure secrets) using the TruffleHog secret scanner, then automatically authenticated to npm and republished trojanized versions of every package the victim maintained, spreading exponentially without operator intervention. It exfiltrated stolen secrets to attacker webhooks and public GitHub repositories and established persistence via a malicious GitHub Actions workflow. More than 500 packages were ultimately compromised, including several CrowdStrike packages.
- MEDIUMGHSA-HHPQ-7WG4-36JM
CakePHP Authentication: Open redirect weakness via backslash bypass
- CRITICALGHSA-8FQ9-273G-6MRG
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation