Summary
A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script.
In affected versions, setup-php may read the PHP version from:
.php-versioncomposer.lock via platform-overrides.phpcomposer.json via config.platform.php
If an attacker can influence one of these files and the workflow executes setup-php in a trusted context, they may be able to execute commands on the GitHub Actions runner.
Impact
This issue is exploitable when setup-php is run after checking out attacker-controlled repository contents and resolves the PHP version from repository files.
The most significant example is a privileged workflow such as pull_request_target that checks out untrusted pull request code before invoking setup-php. Similar risk can also arise in other workflows that operate on attacker-controlled refs, branches, or repository contents in a trusted context.
This is not a separate security boundary when an attacker can already modify the workflow definition itself or directly control the php-version workflow input, since that level of access already permits arbitrary command execution in GitHub Actions.
Technical details
In affected versions, repository-derived PHP version values were insufficiently constrained before being incorporated into the generated shell or PowerShell setup script executed by the action. This could allow attacker-controlled values from supported repository files to influence script execution in trusted workflow contexts.
Remediation
If you are using shivammathur/setup-php@v2, no action is needed on your end. Users who pin the setup-php release version or release version SHA should upgrade to a patched version.
The fix validates PHP version inputs, constrains manifest-derived versions, hardens script generation at the execution, and includes additional checks in related input-handling paths.
References
Summary
A command injection vulnerability was identified in
shivammathur/setup-phpwhen the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script.In affected versions,
setup-phpmay read the PHP version from:.php-versioncomposer.lockviaplatform-overrides.phpcomposer.jsonviaconfig.platform.phpIf an attacker can influence one of these files and the workflow executes
setup-phpin a trusted context, they may be able to execute commands on the GitHub Actions runner.Impact
This issue is exploitable when
setup-phpis run after checking out attacker-controlled repository contents and resolves the PHP version from repository files.The most significant example is a privileged workflow such as
pull_request_targetthat checks out untrusted pull request code before invokingsetup-php. Similar risk can also arise in other workflows that operate on attacker-controlled refs, branches, or repository contents in a trusted context.This is not a separate security boundary when an attacker can already modify the workflow definition itself or directly control the
php-versionworkflow input, since that level of access already permits arbitrary command execution in GitHub Actions.Technical details
In affected versions, repository-derived PHP version values were insufficiently constrained before being incorporated into the generated shell or PowerShell setup script executed by the action. This could allow attacker-controlled values from supported repository files to influence script execution in trusted workflow contexts.
Remediation
If you are using
shivammathur/setup-php@v2, no action is needed on your end. Users who pin the setup-php release version or release version SHA should upgrade to a patched version.The fix validates PHP version inputs, constrains manifest-derived versions, hardens script generation at the execution, and includes additional checks in related input-handling paths.
References