CVE-2025-54430

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54430

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54430.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-54430

Aliases

GHSA-wrg3-xqw8-m85p

Published

2025-07-30T14:15:29Z

Modified

2025-07-31T20:50:54.997119Z

Summary

[none]

Details

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed. Running untrusted code may lead to the exfiltration of GITHUBTOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover. This is fixed by commit 3f61e79.

References

Affected packages

Git / github.com/dedupeio/dedupe

Affected ranges

Type: GIT
Repo: https://github.com/dedupeio/dedupe
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3f61e79102910bd355e920a2df7e44c14c9cb247

Affected versions

1.*

1.7.2-forreal

3.*

3.0.0

Other

pypideploy2

test_github_actions_1

test_github_actions_2

test_github_actions_3

test_github_actions_4

test_github_actions_5

travislap

vpython34x64

wide_windows_build

v.*

v.1.6.0py3.5

v.1.6.1appveyormorepowershellfutzing

v.1.6.1appveyorpowershellfutzing

v.1.6.1appveyortwine

v0.*

v0.4.0

v0.5.0

v0.5.0.1

v0.5.2.1

v0.5.3.0

v0.6.0

v0.7.0

v0.7.1

v0.7.3

v0.7.4

v0.7.5

v0.7.6.3

v1.*

v1.0.0

v1.10.0

v1.3.8

v1.3.8appveyor1

v1.4.0

v1.4.1

v1.4.10

v1.4.11

v1.4.12

v1.4.13

v1.4.14

v1.4.15

v1.4.2

v1.4.3

v1.4.3forreal

v1.4.4

v1.4.5

v1.4.6

v1.4.7a

v1.4.8

v1.4.9

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.6appveyor

v1.5.6fixpassword

v1.5.6fixtest

v1.6.0

v1.6.1

v1.6.10

v1.6.10-manylinux

v1.6.11

v1.6.11-forreal

v1.6.12

v1.6.13

v1.6.14

v1.6.14-freal

v1.6.15

v1.6.15_manylinux

v1.6.17

v1.6.1verboseappveyor

v1.6.1warehouse

v1.6.2

v1.6.2sleepy

v1.6.2twine_deploy

v1.6.3

v1.6.4

v1.6.5

v1.6.7

v1.6.7-retry

v1.6.9

v1.7.0

v1.7.0-appveyor

v1.7.1

v1.7.3

v1.7.4

v1.7.4-forreal

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.8.0forreal

v1.8.1

v1.8.2

v1.8.2foreal

v1.9.0

v1.9.1

v1.9.2forreal1

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.9

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.2-retry-1

v2.0.20

v2.0.21

v2.0.21.py.typed

v2.0.22

v2.0.23

v2.0.24

v2.0.24.redux

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.7manylinux

v2.0.7manylinux2

v2.0.8

v2.0.9

v2.0.9-alt_build

v2.0.9-longbuild

v3.*

v3.0.1

v3.0.2

v3.0.3