A security vulnerability in Anthropic's Claude Code GitHub Action could have allowed an attacker to gain write access to any public repository running the workflow — armed with nothing more than a single crafted GitHub issue. The discovery, made by researcher RyotaK of GMO, highlights how the growing use of AI agents in CI/CD pipelines is introducing unfamiliar classes of risk into software supply chains.
How the Attack Worked
The Claude Code GitHub Action is designed to let developers integrate Anthropic's AI coding assistant directly into their CI/CD workflows, enabling automated code reviews, issue triage, and other tasks triggered by GitHub events. The flaw centred on how the action processed user-controlled data — specifically, the content of GitHub issues and other publicly submitted inputs.
When the action ingested issue content, it passed that data downstream into shell command execution without adequate sanitization. This meant an attacker could embed malicious payloads within an issue's title or body, which the action would then execute in the context of the CI/CD environment. While this vulnerability is sometimes loosely described alongside LLM prompt injection attacks, the core mechanism was more straightforwardly an input injection flaw: unsanitized public user data was reaching shell-level execution, a well-understood class of vulnerability applied in a novel context.
The Supply Chain Amplification Risk
What elevated this vulnerability from a single-repository concern to an ecosystem-wide threat was the architecture of the action's own distribution. According to the disclosure, Anthropic's repository for the Claude Code Action itself ran the same vulnerable workflow. Had an attacker exploited the flaw against that upstream repository, they could have injected malicious code directly into the action's source.
Because downstream projects typically pin or pull the latest version of a GitHub Action they depend on, a compromised action would propagate malicious code into every repository that consumed it. This is a textbook example of supply chain amplification in the CI/CD ecosystem — a single point of failure in a widely used action can cascade across thousands of projects.
A Growing Attack Surface
The discovery underscores a broader trend that security practitioners are watching closely. As AI agents become embedded in development workflows — reviewing pull requests, responding to issues, generating code — they create new junctions between untrusted public input and privileged CI/CD execution environments. Traditional input validation and the principle of least privilege remain essential, but developers now need to consider whether their AI-integrated actions are treating public user data as inert text or as potentially executable context.
RyotaK's finding serves as a reminder that CI/CD actions are a high-value target. A compromised action doesn't just affect one project; it can undermine the integrity of an entire dependency tree. For development teams relying on third-party actions, auditing permissions, pinning to specific verified commit SHAs rather than mutable tags, and scrutinizing how actions handle user-supplied data are increasingly non-negotiable practices.
Anthropic has reportedly addressed the vulnerability, though the full technical details of the fix have not yet been made publicly available. Teams using the Claude Code GitHub Action in their workflows should ensure they are running the latest version and review their CI/CD configurations for any lingering exposure to similar unsanitized input pathways.
Anthropic 的 Claude Code GitHub Action 存在一項安全漏洞,攻擊者只需構造一個特製的 GitHub Issue,便可能取得任何正在執行相關工作流程的公共代碼庫的寫入權限。這項發現由 GMO 研究員 RyotaK 揭示,突顯了 AI agent 在 CI/CD pipeline 中的日益普及,正為軟件供應鏈引入前所未有的風險類別。
攻擊如何運作
Claude Code GitHub Action 的設計目的是讓開發者將 Anthropic 的 AI coding assistant 直接整合到 CI/CD 工作流程中,實現自動化代碼審查、問題分流及其他由 GitHub 事件觸發的任務。漏洞的根源在於該 Action 如何處理用戶控制的數據——具體而言,即 GitHub Issue 的內容及其他公開提交的輸入。
當 Action 讀取 Issue 內容時,它未經充分清理便將數據傳遞至 Shell 命令執行層。這意味著攻擊者可在 Issue 的標題或內容中植入惡意 payload,而 Action 會在 CI/CD 環境的上下文中執行該 payload。儘管此漏洞有時被粗略地歸類為 LLM prompt injection 攻擊,但其核心機制更直接地屬於輸入注入漏洞:未經清理的公共用戶數據到達了 Shell 級別的執行環境——這是一個在全新上下文中被應用的、眾所周知的漏洞類別。
供應鏈放大風險
此漏洞從單一代碼庫的隱患上升為整個生態系統的威脅,關鍵在於該 Action 自身的分發架構。根據披露,Anthropic 的 Claude Code Action 代碼庫本身也運行著同樣存在漏洞的工作流程。若攻擊者利用該漏洞攻擊上游代碼庫,便可直接向 Action 的源碼中注入惡意代碼。
由於下游項目通常會固定或拉取其所依賴的 GitHub Action 的最新版本,一個受感染的 Action 會將惡意代碼傳播到所有使用它的代碼庫中。這是 CI/CD 生態系統中供應鏈放大效應的典型案例——一個被廣泛使用的 Action 中的單點故障,可能波及數千個項目。
日益擴大的攻擊面
此項發現凸顯了安全從業者密切關注的一個更廣泛趨勢。隨著 AI agent 嵌入開發工作流程——審查 Pull Request、回應 Issue、生成代碼——它們在不受信任的公共輸入與具備權限的 CI/CD 執行環境之間建立了新的連接點。傳統的輸入驗證與最小權限原則依然至關重要,但開發者現在需要審視其整合 AI 的 Action 是否將公共用戶數據視為 inert text,還是潛在可執行的上下文。
RyotaK 的發現是一個警示:CI/CD Action 是高價值的攻擊目標。一個受損的 Action 不僅影響單一項目,更可能損害整個依賴樹的完整性。對於依賴第三方 Action 的開發團隊而言,審核權限、固定到特定且經過驗證的 Commit SHA(而非可變的標籤),以及仔細審查 Action 如何處理用戶提供的數據,正日益成為不可或缺的實踐。
據報導,Anthropic 已修復此漏洞,但完整的技術細節尚未公開。在其工作流程中使用 Claude Code GitHub Action 的團隊,應確保運行的是最新版本,並審查其 CI/CD 配置,以排除任何殘留的、類似的未經清理輸入路徑所帶來的暴露風險。