CVE-2026-44358: CWE-427: Uncontrolled Search Path Element in espressif shared-github-dangerjs
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.
AI Analysis
Technical Summary
Espressif's shared-github-dangerjs GitHub Action versions before 1.0.1 contain an uncontrolled search path element vulnerability (CWE-427) in the entrypoint.sh script. The script invokes DangerJS from the caller's workspace after copying the fork's checkout, allowing untrusted code from fork pull requests processed by pull_request_target workflows to execute inside the action container. This can lead to execution of malicious code supplied by the fork instead of the action's own code. The vulnerability is addressed in version 1.0.1.
Potential Impact
The vulnerability allows an attacker submitting a forked pull request to execute arbitrary code within the GitHub Action container by exploiting the untrusted search path for binaries and Node.js modules. This can lead to high integrity impact by replacing intended code execution with attacker-controlled code. Confidentiality impact is limited, and availability is not affected. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Espressif shared-github-dangerjs to version 1.0.1 or later, where the vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the version in use and update accordingly. Patch status is not explicitly confirmed beyond the version fix noted; check the vendor's repository or release notes for official confirmation and further guidance.
CVE-2026-44358: CWE-427: Uncontrolled Search Path Element in espressif shared-github-dangerjs
Description
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.
CVSS v3.1
Score 8.2high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Espressif's shared-github-dangerjs GitHub Action versions before 1.0.1 contain an uncontrolled search path element vulnerability (CWE-427) in the entrypoint.sh script. The script invokes DangerJS from the caller's workspace after copying the fork's checkout, allowing untrusted code from fork pull requests processed by pull_request_target workflows to execute inside the action container. This can lead to execution of malicious code supplied by the fork instead of the action's own code. The vulnerability is addressed in version 1.0.1.
Potential Impact
The vulnerability allows an attacker submitting a forked pull request to execute arbitrary code within the GitHub Action container by exploiting the untrusted search path for binaries and Node.js modules. This can lead to high integrity impact by replacing intended code execution with attacker-controlled code. Confidentiality impact is limited, and availability is not affected. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Espressif shared-github-dangerjs to version 1.0.1 or later, where the vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the version in use and update accordingly. Patch status is not explicitly confirmed beyond the version fix noted; check the vendor's repository or release notes for official confirmation and further guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T20:15:20.630Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a186052e29bf47b500b4212
Added to database: 5/28/2026, 3:33:38 PM
Last enriched: 5/28/2026, 3:49:14 PM
Last updated: 5/29/2026, 8:21:23 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.