CWE-1116

Inaccurate Source Code Comments

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

CVE-2025-47271 (GCVE-0-2025-47271)
Vulnerability from cvelistv5
Published
2025-05-12 10:52
Modified
2025-05-12 12:12
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-1116 - Inaccurate Comments
Summary
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.
References
Impacted products
Vendor Product Version
OZI-Project publish Version: >= 1.13.2, < 1.13.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47271",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T12:10:34.546853Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T12:12:40.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "publish",
          "vendor": "OZI-Project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.13.2, \u003c 1.13.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1116",
              "description": "CWE-1116: Inaccurate Comments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T10:52:26.916Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9"
        },
        {
          "name": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c"
        }
      ],
      "source": {
        "advisory": "GHSA-2487-9f55-2vg9",
        "discovery": "UNKNOWN"
      },
      "title": "OZI-Project/ozi-publish Code Injection vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47271",
    "datePublished": "2025-05-12T10:52:26.916Z",
    "dateReserved": "2025-05-05T16:53:10.372Z",
    "dateUpdated": "2025-05-12T12:12:40.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}
Mitigation

Phase: Implementation

Description:

  • Verify that each comment accurately reflects what is intended to happen during execution of the code.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page