GitHub Agentic Workflows Vulnerability Exposed

GitHub Agentic Workflows vulnerability exploit via indirect prompt injection

A seemingly mundane submission within a bug-tracking system can masquerade as a covert directive for artificial intelligence. Recently, researchers at Noma Labs demonstrated how a singular GitHub Issue can manipulate GitHub Agentic Workflows. Consequently, this flaw compels a repository’s AI agent to expose private contents within a public comment.

Understanding GitHub Agentic Workflows

GitHub Agentic Workflows seamlessly integrates GitHub Actions with an AI agent. This agent is typically powered by Claude or GitHub Copilot. Furthermore, development teams outline automation parameters using natural language. Subsequently, the AI agent parses issues, accesses files, and invokes specific tools. It then publishes responses under the permissions designated by the project owner.

The Mechanics of the GitLost Vulnerability

The vulnerability, detailed by Noma Labs as GitLost, stems from indirect prompt injection. Triggered upon issue assignment, the workflow evaluates the title and body of the submission. Therefore, it possesses the latitude to append comments and inspect repositories. The agent can access both public and private repositories within the organization. Crucially, the agent failed to delineate administrative instructions from untrusted user input. As a result, it interpreted phrases embedded within the issue as legitimate commands.

Demonstrating the Exploit

In a controlled demonstration, Noma Labs fashioned a plausible issue. They created it under the guise of a Vice President of Sales. Upon assignment, the agent retrieved the README.md files from two repositories. One repository was public, while the other was strictly private. Next, the agent consolidated their contents. It then disseminated the aggregated information in a public comment. However, the researchers did not execute any actual attacks against external projects.

Bypassing Safety Guardrails

The system’s safety guardrails were circumvented through a remarkably simple linguistic adjustment. Specifically, the inclusion of the word “Additionally” altered the structural response of the model. This addition successfully bypassed refusal mechanisms. It worked even though the underlying request clearly demanded data disclosure. Consequently, this demonstration underscores a critical risk. Issues, comments, and files can inadvertently transform into executable instructions. This happens when a system fails to segregate commands from the data being processed.

Recommended Mitigation Strategies

Noma Labs disclosed these findings to GitHub in accordance with responsible disclosure practices. To mitigate such risks, developers must adopt strict security measures. First, you should treat user-generated text as inherently untrusted. Second, always provision agents with the absolute minimum necessary privileges. Additionally, security teams must restrict data publication in public forums. Finally, you should rigorously isolate user input from system prompts prior to model processing.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply