Summary

action.yml writes the Gemini CLI's LLM response to $GITHUB_OUTPUT using a fixed EOF heredoc delimiter (lines 353-359). If the LLM response contains a bare EOF line, the heredoc closes early and subsequent name=value lines become arbitrary step outputs.

This enables bash injection in any downstream consumer workflow that template-interpolates ${{ steps.gemini_run.outputs.X }} into a run: block.

Root Cause

echo "gemini_response<<EOF" >> "${GITHUB_OUTPUT}"     # fixed delimiter
echo "${RESPONSE}" >> "${GITHUB_OUTPUT}"              # attacker-influenced
echo "EOF" >> "${GITHUB_OUTPUT}"                       # fixed delimiter

Fix

Replace fixed EOF with a random per-invocation delimiter:

_DELIM="ghdelim_$(openssl rand -hex 16)"
echo "gemini_response<<${_DELIM}" >> "${GITHUB_OUTPUT}"
echo "${RESPONSE}" >> "${GITHUB_OUTPUT}"
echo "${_DELIM}" >> "${GITHUB_OUTPUT}"

This follows the canonical pattern from GitHub's official docs.

Impact

• Present since v0.1.12 (PR Release: v0.1.12 #247, 2025-08-25)
• Affects both gemini_response and gemini_errors output channels
• Zero authentication required (public issue triggers the flow)
• Distinct from GHSA-62f2-6rx8-v262 (TOML template fix) - same repo, different vulnerability

Related

• GHSA-62f2-6rx8-v262 (TOML !{...} shell expansion - fixed in PR fix: migrate shipped TOML templates from !{echo} to @{file} interpolation #524)
• GHSA-wpqr-6v78-jr5g (trust-model hardening)