CVE-2024-42482

fish-shop/syntax-check Improper Neutralization of Delimiters

Description

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.

Category

4.8
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.50%
Vendor Advisory github.com
Affected: fish-shop syntax-check
Published at:
Updated at:

References

Link Tags
https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2 vendor advisory
https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03 patch
https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca patch

Frequently Asked Questions

What is the severity of CVE-2024-42482?
CVE-2024-42482 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42482?
To fix CVE-2024-42482, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42482 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42482 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42482?
CVE-2024-42482 affects fish-shop syntax-check.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.