CVE-2025-54430CRITICAL 9.1EPSS p23.5%

CVE-2025-54430CVE-2025-54430

Description

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issue_comment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed. Running untrusted code may lead to the exfiltration of GITHUB_TOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover. This is fixed by commit 3f61e79.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.32% probability of exploitation · percentile 23.5% · 2026-06-18T12:00:27Z
Published2025-07-30
Last modified2026-04-15

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/dedupeio/dedupe/commit/3f61e79102910bd355e920a2df7e44c14c9cb247
  2. https://github.com/dedupeio/dedupe/security/advisories/GHSA-wrg3-xqw8-m85p

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-31479
CVE
CVE-2025-54416
CVE
CVE-2025-53546
CVE
CVE-2025-32111
CVE
CVE-2026-42603
CVE
CVE-2025-5302
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.