Security researchers warn that CI/CD pipelines are a major attack surface, urging organizations to harden CI/CD infrastructure to protect source code integrity and software supply chains.

The flaw could enable theft of the GITHUB_TOKEN and other secrets, with privilege levels tied to the token’s permissions, and CVSSv4 severity is rated at 9.3 out of 10.

A critical vulnerability in the Microsoft repository microsoft/Windows-driver-samples allowed any registered GitHub user to trigger remote code execution in the GitHub runner via a vulnerable workflow, enabling exfiltration of secrets and potential unauthorized actions on the repository.

Recommendations include imposing strict security controls on source code and automated workflows, restricting GITHUB_TOKEN permissions, and regularly auditing workflows to prevent injection vulnerabilities.

Microsoft patched the vulnerability through a pull request in the affected repository (microsoft/Windows-driver-samples/pull/1355).

Industry context shows a rising focus on CI/CD security risks, with incidents like the Trivy supply-chain attack illustrating rogue activity moving through pipelines.

Exploitation was described as trivial: an attacker could submit a malicious Python snippet in a GitHub issue description, which then ran in the GitHub Actions workflow and executed on the runner.