Malicious Curl Pipe Bash
Malicious Curl Pipe Bash
Description
curl ... | bash downloads and executes remote code in one step with zero verification. If the server or DNS is compromised—or the script changes unexpectedly—attackers gain full control of the workflow’s token and secrets. GitHub’s hardening guide calls this pattern unsafe because it bypasses review and integrity checks. 1
Vulnerable Instance
jobs:
setup:
runs-on: ubuntu-latest
steps:
- name: Install tool
run: curl -fsSL https://example.com/install.sh | bashMitigation Strategies
- Avoid piping to shell
Download files to disk, inspect them, then execute. - Verify integrity
Check signatures/hashes or use releases with checksums. - Pin versions
Reference immutable assets (e.g., GitHub releases) rather than latest endpoints. - Prefer actions
Use vetted GitHub Actions or container images instead of ad-hoc scripts. - Restrict network egress
If scripts must be fetched, use allowlists and TLS with certificate pinning. 1
Secure Version
jobs:
setup:
runs-on: ubuntu-latest
steps:
- - name: Install tool
- run: curl -fsSL https://example.com/install.sh | bash
+ - name: Download installer
+ run: curl -fsSL https://example.com/install.sh -o install.sh
+ - name: Verify checksum
+ run: echo "abc123 install.sh" | sha256sum --check -
+ - name: Run installer
+ run: bash install.sh
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood |  | Quick-start guides often recommend this pattern. |
| Risk |  | Remote code executes with full workflow privileges. |
| Blast radius |  | Any repo/cloud resource accessible to the workflow can be compromised. |
References
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/actions/security-guides/security-hardening-for-github-actions 1
- curl Manual, “Security considerations,” https://curl.se/docs/security.html
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/actions/security-guides/security-hardening-for-github-actions ↩︎ ↩︎ ↩︎
Last updated on