Cyber Resilience

CVE-2025-53546

Critical

Published: 09 July 2025

Published
09 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0031 54.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53546 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Supply Chain Compromise (T1195); ranked in the top 45.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-53546 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting Folo, an open-source tool that organizes feeds content into one timeline. The issue stems from the misuse of the pull_request_target event trigger in the .github/workflows/auto-fix-lint-format-commit.yml GitHub Actions workflow file (CWE-829). This configuration allows untrusted code from pull requests to execute with full access to secrets from the base repository.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By submitting a malicious pull request, the attacker triggers the workflow to run untrusted code, enabling exfiltration of the GITHUB_TOKEN, which possesses high privileges including content write access. This allows the attacker to completely overtake the repository.

The vulnerability has been fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a, as detailed in the GitHub security advisory GHSA-h87r-5w74-qfm4. Security practitioners should update to this commit or later to mitigate the issue and review workflows using pull_request_target for similar misconfigurations.

EU & UK References

Vulnerability details

Folo organizes feeds content into one timeline. Using pull_request_target on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate GITHUB_TOKEN…

more

which has high privileges. GITHUB_TOKEN can be used to completely overtake the repo since the token has content write privileges. This vulnerability is fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195 Supply Chain Compromise Initial Access
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability directly enables supply chain compromise via malicious PR executing untrusted code in privileged CI workflow, leading to exfiltration of GITHUB_TOKEN credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40154Shared CWE-829
CVE-2026-28372Shared CWE-829
CVE-2026-4295Shared CWE-829
CVE-2026-40959Shared CWE-829
CVE-2025-70046Shared CWE-829
CVE-2025-27510Shared CWE-829
CVE-2025-27607Shared CWE-829
CVE-2026-32920Shared CWE-829
CVE-2026-43569Shared CWE-829
CVE-2026-41355Shared CWE-829

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw by updating to commit 585c6a591440cd39f92374230ac5d65d7dd23d6a directly eliminates the vulnerable pull_request_target workflow configuration.

prevent

Enforcing secure configuration settings for GitHub Actions workflows prevents misuse of pull_request_target that allows untrusted PR code to access base repository secrets.

prevent

Applying least privilege to GITHUB_TOKEN permissions restricts attackers from repository takeover even if the token is exfiltrated via the vulnerable workflow.

References