To view older blog posts, please visit the archives section.

The word “Context” has to be AppSec's word of the year. It feels like this word is on everyone’s lips these days. Has security not always been about context? In fact, I’ll go as far as to say that vulnerabilities are irrelevant.

But, what exactly do I mean? What’s the context behind this statement?

Over the years, I’ve had the chance to coach multiple security professionals at all levels. A frequent question that comes up from people being mentored is: what vulnerabilities should I study or learn about? The answer I usually provide often comes as a surprise to them: do not care about vulnerabilities, care about learning the basics of what makes vulnerabilities possible from a general point of view. In other words, learn to contextualize the information you are looking at so you can weave together your technical and general security knowledge. 

So, where are we going with this?

I was looking at my weekly feed earlier and I noticed an interesting vulnerability. This particular one allowed an attacker to do a code injection attack through a GitHub action. I’m not generally interested in GitHub actions but, somehow, people around me have been talking a lot about these in the last couple of weeks… So I decided to use this as a bit of a learning opportunity in getting up to date with those GitHub actions: I had never heard of GitHub actions related injections.

Enters CVE-2025-47271

This CVE affects the OZI-project action publish and allows an attacker to inject code as part of a run command using unfiltered data under the control of a user who would be submitting a pull request. The patch for this injection vulnerability is available on GitHub, here is a screen shot of the one file that changed as part of the patch:

We can quickly see that line 37 was replaced with a new line making use of data that was positioned in environment variables before using the data as part of the run command. Prior to the patch, the data, under the user’s control, would be used directly, as is, without any other precaution.

To the untrained eye, this might just look like any other piece of code. To a security professional, the original code should raise a security concern… Even if they don’t know about GitHub action injection threats and how to fix them. Why you might ask? Looking at this code, even if you’ve never looked at GitHub actions injections, the way this is written should ring alarm bells because of the similarities it holds to any other SQLi, command or any other injection attacks known, and unknown, to humanity at this point in time. 

But why? 

Understanding general patterns without linking them to specific technologies, in this case, user controlled data being fed into any form of interpreter, allows you to quickly grasp the information and apply it in various different, but similar, contexts. This is what I call learning the basics. The knowledge acquired this way often stays valid across languages and technologies. You should be able to apply it even if you’re not fully fluent in a given tech stack. Of course knowing the pitfalls ahead of time helps. But you’re never going to be able to know everything about everything. This is why “the basics” are of such importance in our field.

But what about vulnerabilities?

Of course, vulnerabilities matter. The statement I made previously is only true in the given context. I use this statement when helping someone new to the field learn about it. As a community, we should rejoice that people are now getting more and more interested in understanding the context of things. This can only help our industry from a credibility standpoint. It can only help heighten trust between business stakeholders and IT security teams.

In the end, how can we bring context to the table? 

As a security professional, when recommending a security measure or a security fix, no matter what’s written in the theory book, if you can’t answer the question why is this required, based on simple contextual information, stop. Go back and do some more research: the book does not know your specific context, only you do.

In everything we do as security professionals, we should stop and remember the words of Gregory Bateson:

"Without context, words and actions have no meaning at all."
-Gregory Bateson

Shall we?