CVE-2025-55192 is a high-severity code injection vulnerability (CWE-94) found in the GitHub Actions workflow of the HomeAssistant-Tapo-Control repository, a component designed to control Tapo cameras within the Home Assistant platform. The vulnerability exists in the .github/workflows/issues.yml file prior to commit 2a3b80ff128ddf4f410c97dd47a94343792ce43c. Specifically, the workflow unsafely incorporates user-controlled input from the GitHub issue body (github.event.issue.body) directly into a Bash conditional statement without proper sanitization or escaping. This flaw allows a malicious GitHub user to craft an issue with a specially designed body that executes arbitrary commands on the GitHub Actions runner. Since the runner operates with privileged access to the repository environment, this can lead to unauthorized access to repository contents and GitHub Actions secrets. Importantly, this vulnerability does not affect the Home Assistant integration or end users controlling Tapo cameras; it is confined to the CI/CD environment of the repository. The issue has been addressed by patching the workflow to safely handle user input, such as replacing unsafe Bash conditionals with quoted grep commands or GitHub Actions expression checks, and by recommending minimal permissions for workflows to limit impact. No known exploits are reported in the wild as of now.

For European organizations, the direct impact of this vulnerability is primarily on developers and maintainers who use the HomeAssistant-Tapo-Control repository or fork it, especially if they rely on GitHub Actions workflows for CI/CD. If exploited, attackers could gain access to sensitive repository data and secrets stored in GitHub Actions, potentially leading to further compromise of development pipelines or leaking of credentials. However, since the vulnerability does not affect the deployed Home Assistant integration or the Tapo camera control functionality itself, the risk to operational environments and end users is minimal. Organizations using Home Assistant with Tapo cameras but not contributing to or running this specific GitHub repository's workflows are not directly impacted. Nevertheless, organizations that maintain or contribute to open-source projects with similar CI/CD configurations should be aware of this class of vulnerabilities to prevent supply chain risks. The exposure of secrets or repository code could indirectly affect European companies relying on this software for automation or smart home management if attackers leverage stolen credentials or code to pivot into broader attacks.

To mitigate this vulnerability, European organizations and developers should: 1) Immediately update the HomeAssistant-Tapo-Control repository to include the patched commit (2a3b80ff128ddf4f410c97dd47a94343792ce43c) or later versions that sanitize user input in GitHub Actions workflows. 2) Disable or remove the vulnerable issues.yml workflow if it is not essential to their CI/CD process. 3) Replace unsafe Bash conditionals that incorporate user input with safe alternatives such as quoted grep commands or native GitHub Actions expression checks that do not invoke shell commands with unsanitized input. 4) Implement the principle of least privilege by restricting GitHub Actions workflow permissions using the permissions: block or minimal permission settings to reduce the impact of any potential compromise. 5) Regularly audit GitHub Actions workflows for similar injection risks, especially those processing user-generated content. 6) Monitor GitHub repositories for suspicious issue creation activity that could indicate exploitation attempts. 7) Educate developers about secure CI/CD practices and the risks of code injection in automation scripts.