CVE-2025-55192 is a high-severity code injection vulnerability (CWE-94) found in the GitHub Actions workflow of the HomeAssistant-Tapo-Control repository, a component designed to control Tapo cameras within the Home Assistant platform. The vulnerability exists in the .github/workflows/issues.yml file prior to commit 2a3b80ff128ddf4f410c97dd47a94343792ce43c. Specifically, the workflow unsafely inserts user-controlled input from the GitHub issue body (github.event.issue.body) directly into a Bash conditional statement without proper sanitization. This flaw allows a malicious GitHub user to craft an issue with specially designed content that executes arbitrary commands on the GitHub Actions runner. Since GitHub Actions runners often operate with elevated privileges and have access to repository contents and secrets, exploitation could lead to unauthorized access to sensitive data, including repository source code and secrets used in CI/CD processes. Importantly, this vulnerability does not affect the Home Assistant integration or end users controlling Tapo cameras; it is limited to the repository's CI/CD environment. The issue has been patched by replacing the unsafe Bash conditional with a safer quoted grep or a pure GitHub Actions expression check, and by applying minimal permissions to workflows to reduce impact. Workarounds include disabling the affected workflow or restricting permissions. No known exploits are reported in the wild as of now.

For European organizations using or contributing to the HomeAssistant-Tapo-Control project or similar GitHub repositories with comparable CI/CD workflows, this vulnerability poses a risk primarily to the integrity and confidentiality of the software development lifecycle. If exploited, attackers could execute arbitrary commands on GitHub Actions runners, potentially leaking sensitive repository data, including proprietary code and secrets such as API keys or credentials. This could lead to supply chain compromises, unauthorized access to connected IoT devices, or further lateral attacks within the organization’s infrastructure. Although the vulnerability does not impact the deployed Home Assistant integration directly, compromised CI/CD environments can undermine trust in software updates and releases, affecting organizations relying on this component for smart home automation. European entities involved in open source development or using GitHub Actions extensively should be aware of this risk to prevent potential supply chain attacks or leakage of intellectual property.

Organizations should ensure that any usage of the HomeAssistant-Tapo-Control repository is updated to include the patched commit 2a3b80ff128ddf4f410c97dd47a94343792ce43c or later. For repositories with similar GitHub Actions workflows, review and sanitize all user-controlled inputs before use in shell commands. Replace unsafe Bash conditionals with safe quoted grep commands or GitHub Actions expression checks. Limit GitHub Actions workflow permissions to the minimum necessary by using the 'permissions' key with restrictive scopes (e.g., 'permissions: block') to reduce potential damage from compromised workflows. Disable or remove any workflows that process untrusted input without proper validation. Additionally, monitor GitHub Actions logs and audit repository secrets regularly to detect any suspicious activity. Implement strict branch protection rules and require code reviews for workflow changes to prevent introduction of similar vulnerabilities.