Description

Folo organizes feeds content into one timeline. Using pull_request_target on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate GITHUB_TOKEN which has high privileges. GITHUB_TOKEN can be used to completely overtake the repo since the token has content write privileges. This vulnerability is fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a.

INFO

Published Date :

2025-07-09T14:27:40.848Z

Last Modified :

2025-07-09T16:00:30.688Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-53546 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53546.

URL Resource
https://github.com/RSSNext/Folo/commit/585c6a591440cd39f92374230ac5d65d7dd23d6a cve-icon cve-icon
https://github.com/RSSNext/Folo/security/advisories/GHSA-h87r-5w74-qfm4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact