AVID-2026-R1706

Description

OZI-Project/ozi-publish Code Injection vulnerability (CVE-2025-47271)

Details

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.

Reason for inclusion in AVID: The CVE-2025-47271 describes a code injection vulnerability in a GitHub Action (ozi-publish) used to publish Python releases and provenance data. This creates a potential remote code execution path via untrusted branch data during PR creation. While not AI-specific, AI systems rely on CI/CD pipelines, artifact packaging, and deployment workflows (e.g., Python packages, model-serving stacks, data pipelines). Therefore, this vulnerability impacts the software supply chain used to build, package, and deploy AI systems. The report includes affected versions, patch info, and references, providing sufficient evidence of the vulnerability and remediation.

References

Affected or Relevant Artifacts

Developer: OZI-Project
Deployer: OZI-Project
Artifact Details:

Type	Name
System	publish

Impact

AVID Taxonomy Categorization

Risk domains: Security
SEP subcategories: S0100: Software Vulnerability
Lifecycle stages: L06: Deployment

CWE

ID	Description
CWE-94	CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-95	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
CWE-1116	CWE-1116: Inaccurate Comments

Other information

Report Type: Advisory
Credits:
Date Reported: 2025-05-12
Version: 0.3.3
AVID Entry