RCE in Ozi-project Publish
CVE-2025-47271
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A mal…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.004 (27.1th percentile) — read the EPSS interpretation.
Affected products
- Ozi-project Publish — versions >= 1.13.2, < 1.13.6
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)