Vulnerable Use of actions/download-artifact@v1 in CI – Arbitrary File Write via CVE-2024-42471

Hii

The GitHub Actions workflow in the `FoXAI` repository is using a vulnerable version of `actions/download-artifact@v2`, which is affected by **CVE-2024-42471**. This vulnerability allows attackers to exploit artifact extraction to overwrite arbitrary files on the GitHub runner. This could lead to **remote code execution**, **workflow manipulation**, or **leakage of secrets**.

📍 Vulnerable usage:
[FoXAI: publish\_docs.yaml#L87](https://github.com/softwaremill/FoXAI/blob/0b4c772375ac14e46e96960d3d4f83c9dc9fb138/.github/workflows/publish_docs.yaml#L87)

![Image](https://github.com/user-attachments/assets/9c964f9f-5873-4b47-80aa-dae9432a568a)

---

**How to reproduce?**

1. Fork the repository.
2. Push a crafted artifact with directory traversal (`../`) paths.
3. Trigger the `publish_docs` workflow.
4. Observe file overwrite on the GitHub-hosted runner.

---

**Additional information**

* This vulnerability exists in both `@v1` and `@v2` of the action.
* Recommended patch:
  Replace the usage with the secure version:

  ```yaml
  uses: actions/download-artifact@v4
  ```
* Severity: **High**, especially for public or fork-enabled repositories.

---

🔗 **References:**

* GitHub Advisory: [https://github.com/advisories/ghsa-6q32-hq47-5qq3](https://github.com/advisories/ghsa-6q32-hq47-5qq3)
* CVE Details: [https://nvd.nist.gov/vuln/detail/CVE-2024-42471](https://nvd.nist.gov/vuln/detail/CVE-2024-42471)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerable Use of actions/download-artifact@v1 in CI – Arbitrary File Write via CVE-2024-42471 #148

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerable Use of actions/download-artifact@v1 in CI – Arbitrary File Write via CVE-2024-42471 #148

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions