A critical RCE vulnerability we discovered in a widely-used CI/CD system.
We discovered a remote code execution vulnerability in a popular CI/CD platform that affects over 50,000 installations. The vulnerability allows an unauthenticated attacker to execute arbitrary commands on the CI runner by crafting a malicious webhook payload. We walk through the discovery process, root cause analysis, and the coordinated disclosure timeline.