QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-47271

Back to search

CVE-2025-47271

Published: May 12, 2025

Modified: May 12, 2025

PUBLISHED

Description

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

VendorProductVersions

OZI-Project

publish

affected
>= 1.13.2, < 1.13.6

Weaknesses (CWE)

CWE-94
CWE-95
CWE-1116

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now