CNNVD-202507-3776 Information

CNNVD ID

CNNVD-202507-3776

Related CVE

CVE-2025-54430

• CNNVD Published: 2025-07-30

Description (Chinese)

Dedupe Python Library是Dedupe.io开源的一个用于精确和可扩展的模糊匹配、去重的Python库。 Dedupe Python Library 存在操作系统命令注入漏洞，该漏洞源于.github/workflows/benchmark-bot.yml工作流中issue_comment触发执行不受信任代码，可能导致GITHUB_TOKEN泄露。

Description (English)

Dedupe Python Library is an open-source Python library for precise and scalable vague matching.io. Dedupe Python Library has an operating system command that injects a loophole from …github/workflows/benchmark-bot.yml workstream issue comment triggers untrusted code, which could lead to GITHUB TOKEN leaking.

Hazard Level

Low

Vulnerability Type

操作系统命令注入

Affected Vendor

Dedupe.io

Published

2025-07-30

Last Modified

2026-02-24

References

https://github.com/dedupeio/dedupe/commit/3f61e79102910bd355e920a2df7e44c14c9cb247 https://github.com/dedupeio/dedupe/security/advisories/GHSA-wrg3-xqw8-m85p

Patch

https://docs.dedupe.io/en/latest/