CVE-2024-42471

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/actions/toolkit/pull/1666
https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3	Vendor Advisory
https://snyk.io/research/zip-slip-vulnerability	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:github:actions\/artifact:*:*:*:*:*:node.js:*:*

Configuration 2 (hide)

cpe:2.3:a:github:actions_toolkit:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-02 18:15

Updated : 2025-08-27 22:15

NVD link : CVE-2024-42471

Mitre link : CVE-2024-42471

CVE.ORG link : CVE-2024-42471

JSON object : View

Products Affected

github

actions_toolkit
actions\/artifact

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-42471", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-02T18:15:35.540", "references": [{"url": "https://github.com/actions/toolkit/pull/1666", "source": "[email protected]"}, {"url": "https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://snyk.io/research/zip-slip-vulnerability", "tags": ["Not Applicable"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue."}, {"lang": "es", "value": "acciones/artifact es el kit de herramientas de GitHub para desarrollar acciones de GitHub. Las versiones de `actions/artifact` anteriores a la 2.1.7 son vulnerables a la escritura arbitraria de archivos cuando se usa `downloadArtifactInternal`, `downloadArtifactPublic` o `streamExtractExternal` para extraer un artefacto manipulado espec\u00edficamente que contiene nombres de archivos de path traversal. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.1.7 o superior. No existen workarounds para este problema."}], "lastModified": "2025-08-27T22:15:44.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:actions\\/artifact:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E037DCFA-551B-45AF-87D1-2A8682430E81", "versionEndExcluding": "2.1.7", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:actions_toolkit:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C0C6149-DA12-486E-A4ED-F632E8CF7592"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}