cve/2024/CVE-2024-41127.md

### [CVE-2024-41127](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41127)
![](https://img.shields.io/static/v1?label=Product&message=monkeytype&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2024.30.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%3A%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)

### Description

Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0.

### POC

#### Reference
- https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9
- https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype

#### Github
No PoCs found on GitHub currently.