CVE-2025-53546 is a critical vulnerability identified in the RSSNext product named Folo, which is a feed aggregation tool organizing content into a single timeline. The vulnerability arises from the misuse of the GitHub Actions workflow configuration, specifically the use of the 'pull_request_target' event in the '.github/workflows/auto-fix-lint-format-commit.yml' file. This event type runs workflows in the context of the base repository rather than the forked repository, which can lead to untrusted code execution with elevated privileges. An attacker exploiting this vulnerability can execute arbitrary code within the workflow, gaining access to sensitive secrets stored in the repository, notably the GITHUB_TOKEN. This token typically has write permissions to the repository content, enabling the attacker to perform actions such as pushing malicious code, modifying workflows, or exfiltrating sensitive data. The vulnerability is classified under CWE-829, which involves inclusion of functionality from an untrusted control sphere, highlighting the risk of executing untrusted code with trusted privileges. The issue affects all versions of Folo prior to the commit 585c6a591440cd39f92374230ac5d65d7dd23d6a, which contains the fix. The CVSS v3.1 score is 9.1, indicating a critical severity level, with an attack vector of network, no privileges required, no user interaction needed, and high impact on confidentiality and integrity but no impact on availability. Although no known exploits are reported in the wild yet, the vulnerability's nature and potential impact make it a significant threat to repositories using this product and workflow configuration.

For European organizations using RSSNext's Folo, especially those integrating GitHub Actions workflows with 'pull_request_target' events, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to repository secrets, including tokens with write permissions, enabling attackers to manipulate source code, inject backdoors, or disrupt development pipelines. This can compromise intellectual property, lead to supply chain attacks, and damage organizational reputation. Given the widespread adoption of GitHub for software development across Europe, organizations relying on Folo for feed aggregation or similar integrations could face risks of codebase compromise. The breach of repository integrity can cascade into production environments if CI/CD pipelines are compromised, potentially impacting service availability indirectly. Furthermore, regulatory frameworks such as GDPR impose strict data protection requirements, and a breach involving unauthorized code changes or data exfiltration could result in legal and financial penalties for affected European entities.

European organizations should immediately audit their use of RSSNext Folo and GitHub workflows to identify any usage of 'pull_request_target' events, especially in '.github/workflows/auto-fix-lint-format-commit.yml' or similar files. They must update Folo to the fixed version containing commit 585c6a591440cd39f92374230ac5d65d7dd23d6a or later. Additionally, organizations should avoid using 'pull_request_target' unless absolutely necessary and understand the security implications; prefer 'pull_request' event which runs in the context of the forked repository with limited permissions. Implement strict secret management policies by restricting the scope and permissions of GITHUB_TOKEN and other secrets, using environment variables with least privilege principles, and rotating tokens regularly. Employ branch protection rules and require code reviews to prevent unauthorized workflow changes. Monitor GitHub audit logs for unusual activity related to workflows and token usage. Finally, conduct security training for developers on secure GitHub Actions usage and review third-party workflows before integration.