[Eclipse Theia] Critical RCE via pull_request_target Workflow
Security Vulnerability Report – Critical RCE via pull_request_target Workflow
Repository
eclipse-theia/theia-website
Severity
Critical (CVSS 10.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCategory
CI/CD Supply Chain – GitHub Actions Remote Code Execution (RCE)
Reporters
Barak Haryati | JFrog
GitHub: https://github.com/barakharyati
This research was conducted as part of JFrog’s Open Source and Supply Chain Security Contribution efforts.
Date
2026-01-04
Summary
A critical Remote Code Execution (RCE) vulnerability exists in the GitHub Actions CI workflow of eclipse-theia/theia-website.
Vulnerable Workflow: .github/workflows/preview.yml
The workflow is triggered using pull_request_target, checks out untrusted pull request code, and executes attacker-controlled scripts with access to repository secrets.
Job Permissions: Full write access - including:
-
contents: write- Full repository takeover -
packages: write- Publish to entire organization's packages -
pages: write- Modify GitHub Pages -
actions: write- Modify workflows
This allows a malicious pull request author to execute arbitrary code in the base repository security context, leading to full secret exposure, package poisoning, and CI compromise.
This issue is confirmed and validated, not theoretical.
Root Cause Analysis
The following insecure pattern causes the vulnerability:
- The workflow is triggered by
pull_request_target, which runs with base-repository privileges. - The workflow checks out the pull request code and executes PR-controlled commands.
- The
GITHUB_TOKENhas extensive write permissions (see full list below). - Secrets are accessible during the workflow run.
This combination enables arbitrary code execution with access to sensitive secrets and organization-wide package publishing rights.
GITHUB_TOKEN Permissions
The GITHUB_TOKEN in this workflow has extensive write permissions:
| Permission | Access | Impact |
|---|---|---|
| Actions | write | Modify workflow files |
| ArtifactMetadata | write | Tamper with build artifacts |
| Attestations | write | Forge attestations |
| Checks | write | Manipulate check results |
| Contents | write | Full repository takeover |
| Deployments | write | Control deployments |
| Discussions | write | Manipulate discussions |
| Issues | write | Modify issues |
| Packages | write | Publish malicious packages to entire org |
| Pages | write | Modify GitHub Pages (theia website) |
| PullRequests | write | Manipulate PRs |
| RepositoryProjects | write | Modify projects |
| SecurityEvents | write | Tamper with security alerts |
| Statuses | write | Manipulate commit statuses |
Complete List of Exfiltrable Secrets
| Secret Name | Purpose | Impact if Compromised |
|---|---|---|
DEPLOY_PREVIEW_TOKEN |
Deploy to theia-website-previews | Cross-repository access |
GITHUB_TOKEN |
Organization-wide access | Full org package poisoning, repository takeover |
Elevated Impact: Workflow Modification
Because the GITHUB_TOKEN has contents:write AND actions:write permissions, an attacker can:
- Push new malicious workflows that exfiltrate additional secrets
- Modify existing workflows to persist backdoors
- Access any other secrets configured in the repository by creating workflows that reference them
Eclipse-Theia Organization Packages at Risk
The packages:write permission allows publishing malicious packages to the entire eclipse-theia organization. Active packages include:
| Package | Downloads | Impact |
|---|---|---|
theia-blueprint/theia-ide |
23.7k | Primary Theia IDE Docker image |
theia-ide |
11.5k | Theia IDE package |
theia-blueprint/blueprint |
1.94k | Theia Blueprint |
theia-blueprint/blueprint-theia-builder |
394 | Builder image |
org.eclipse.theia.cloud.conf |
- | Cloud configuration |
org.eclipse.theia.cloud.common |
- | Cloud common components |
org.eclipse.theia.cloud.operator |
- | Kubernetes operator |
org.eclipse.theia.cloud.service |
- | Cloud service |
Total potential impact: 37,000+ downloads of compromised packages
Broader Eclipse Organization Impact
Eclipse Theia IDE is used across the main Eclipse organization. A search reveals Theia IDE references in multiple Eclipse repositories:
eclipse/che-theia-task-plugineclipse/che-theia-java-plugineclipse/che-theia-samples- And more...
Compromising eclipse-theia packages could serve as a stepping stone to attack the broader Eclipse ecosystem, affecting millions of developers worldwide.
Proof of Exploitation (Validated)
The vulnerability was successfully exploited by modifying package.json in a forked repository to introduce malicious commands that were executed automatically by the CI workflow.
The PoC was performed on a fork for responsible disclosure and testing purposes.
Proof of Concept Links
-
Malicious pull request demonstrating RCE:
https://github.com/eclipse-theia/theia-website/pull/902/checks#step:1:20 -
Job permissions showing elevated access:
https://github.com/eclipse-theia/theia-website/actions/runs/20693702633/job/59405581819#step:1:21
The workflow executed attacker-controlled code, confirming real RCE in the privileged CI environment.
Impact
An attacker can:
-
✅ Execute arbitrary commands in GitHub Actions runners -
✅ Exfiltrate the GITHUB_TOKEN with full write permissions -
✅ Exfiltrate DEPLOY_PREVIEW_TOKEN for cross-repo access -
✅ Publish malicious packages to the entire eclipse-theia org (37k+ downloads) -
✅ Modify the official Theia website via GitHub Pages -
✅ Push malicious code to the repository -
✅ Create/modify workflows to persist backdoors -
✅ Pivot to broader Eclipse ecosystem attacks -
✅ Compromise CI integrity
Privilege Exposure Details
During exploitation, the workflow executed attacker-controlled code with access to high-value credentials and permissions, including:
- DEPLOY_PREVIEW_TOKEN for cross-repository deployment
- A
GITHUB_TOKENwith 15+ write permissions including organization package publishing -
Node authentication token (
NODE_AUTH_TOKEN) exposed in environment
This elevates the issue from a CI compromise to a full organization-level supply-chain risk affecting the Eclipse ecosystem.
Full Attack Chain Visualization
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ATTACK CHAIN VISUALIZATION │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ STAGE 1: Initial Access via Malicious Pull Request │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Attacker forks eclipse-theia/theia-website │ │
│ │ └──► Modifies package.json with malicious scripts │ │
│ │ └──► Opens Pull Request to upstream repository │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ STAGE 2: Code Execution via pull_request_target │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ preview.yml workflow triggers on pull_request_target │ │
│ │ └──► Checks out PR code │ │
│ │ └──► Executes npm install / build commands │ │
│ │ └──► ATTACKER CODE RUNS IN BASE REPO CONTEXT │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ STAGE 3: Token & Secret Exfiltration │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Exfiltrate via webhook: │ │
│ │ • GITHUB_TOKEN (15+ write permissions) │ │
│ │ • DEPLOY_PREVIEW_TOKEN (cross-repo access) │ │
│ │ • NODE_AUTH_TOKEN (npm registry access) │ │
│ │ • Git config with authorization headers │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ STAGE 4: Organization Package Poisoning │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Using packages:write permission: │ │
│ │ └──► Push backdoored theia-ide package (23.7k downloads) │ │
│ │ └──► Push backdoored theia-blueprint (1.94k downloads) │ │
│ │ └──► Compromise ALL eclipse-theia packages │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ STAGE 5: Repository Takeover │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Using contents:write + actions:write: │ │
│ │ └──► Push malicious code to main branch │ │
│ │ └──► Create persistent backdoor workflows │ │
│ │ └──► Modify GitHub Pages (official website) │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ STAGE 6: Eclipse Ecosystem Compromise │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Pivot to broader Eclipse organization: │ │
│ │ └──► Compromised Theia packages used by eclipse/che-* │ │
│ │ └──► Attack Eclipse IDE users via poisoned dependencies │ │
│ │ └──► Potential access to Eclipse Foundation infrastructure │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ DOWNSTREAM IMPACT │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ • 37,000+ package downloads compromised │ │
│ │ • Eclipse IDE ecosystem at risk │ │
│ │ • Official Theia website could serve malware │ │
│ │ • Millions of developers potentially affected │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘Severity Justification
| Factor | Assessment |
|---|---|
| Attack Vector | Network (exploitable from forked pull requests) |
| Attack Complexity | Low (no special conditions required) |
| Privileges Required | None (any GitHub user can fork and submit PR) |
| User Interaction | None (workflow triggers automatically) |
| Scope | Changed (impacts entire eclipse-theia org + Eclipse ecosystem) |
| Confidentiality Impact | High (all secrets exfiltrated) |
| Integrity Impact | High (packages poisoned, code modified, website compromised) |
| Availability Impact | High (CI/CD pipeline can be disrupted) |
Severity: Critical (CVSS 10.0)
Recommended Remediation
Immediate Actions
-
Do not use
pull_request_targetfor workflows that:- Check out pull request code
- Execute build or test commands
- Access secrets
-
Replace with
pull_requestand avoid secrets for PRs from forks. -
Restrict GITHUB_TOKEN permissions:
permissions: contents: read # Only add write permissions that are strictly necessary -
If
pull_request_targetmust be used:- Check out only the base branch
- Never run PR-controlled code in privileged jobs
- Never inject secrets into PR-controlled execution paths
Secret Rotation
As a precaution, rotate the following secrets immediately:
DEPLOY_PREVIEW_TOKEN- Any other secrets referenced in workflow files
Package Verification
- Audit recent package publications for signs of tampering
- Enable package signing and attestations
- Review package publication logs
Disclosure Notes
- This vulnerability was responsibly disclosed
- No secrets were accessed beyond proof-of-execution
- Testing was performed on a fork for responsible disclosure
- The token exfiltration was demonstrated to webhook.site (controlled endpoint)
Evidence Screenshots
Evidence 1: GITHUB_TOKEN Permissions
Shows the extensive write permissions granted to the workflow (contents:write, packages:write, pages:write, etc.)
Evidence 2: GITHUB_TOKEN Exfiltration
Demonstrates successful exfiltration of the git config containing the GITHUB_TOKEN authorization header via webhook.site.
Evidence 3: Environment Variables & NODE_AUTH_TOKEN Exfiltration
Shows the complete environment dump including NODE_AUTH_TOKEN and confirmation of RCE execution.
Evidence 4: Repository Secrets
Shows the DEPLOY_PREVIEW_TOKEN secret referenced in the workflow file.
Evidence 5: Active Organization Packages
Shows the eclipse-theia organization packages that could be poisoned (37k+ total downloads).
Evidence 6: Branch Creation (contents:write proof)
Demonstrates the ability to create branches in the repository, proving contents:write permissions work.
Evidence 7: Theia IDE Usage in Eclipse Organization
Shows Theia IDE references across the broader Eclipse organization, demonstrating the potential for ecosystem-wide compromise.
Contact
Barak Haryati | JFrog
https://github.com/barakharyati