Security Weekly Podcast Network (Audio) Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355
9 snips
Nov 4, 2025 Roi Nisimi, a cloud and offensive security researcher with a focus on GitHub Actions, joins Bar Kaduri to share insights from their research on remote code execution vulnerabilities. They discuss the common pitfalls of GitHub's documentation and reveal surprising findings about repo misconfigurations. The duo explains their automated reconnaissance methods and the challenges they faced during vendor disclosures. They also stress the need for improved security practices and the role of AI in enhancing security guidance.
AI Snips
Chapters
Transcript
Episode notes
Docs Revealed A Large Attack Surface
- Reading documentation revealed GitHub Actions' risky trigger (pull_request_target) and 100k repos using it.
- That combination made the issue scalable and worth deep research by Roy Nisimi.
Lab First, Then Scale Recon
- Roi built a small lab to validate the attack and then scanned GitHub overnight to find 5,000 candidate repos.
- His first successful exploit was against a Microsoft repo, which boosted confidence to continue.
Slow Vendor Triage Frustrated Researchers
- Vendor communication was often slow; some big companies took three weeks to respond via third-party platforms.
- Roy and Bar found the slow triage alarming given the exploitability of the issues.