High-Severity Command Injection Vulnerability Found in getsentry/opentelemetry-js GitHub Actions Workflow

Security researchers have identified a high-severity command injection vulnerability in the getsentry/opentelemetry-js repository, specifically within the .github/workflows/changelog.yml file. The flaw stems from a run-shell-injection weakness in the GitHub Actions workflow configuration, posing risks of unauthorized command execution within the CI/CD pipeline.

The vulnerability has been flagged with high confidence and classified under the Semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection. While full technical details are being withheld to prevent inadvertent exploitation, the finding has been documented in Semgrep Console under findings ID 767832056. The presence of shell injection risk in automated workflows is particularly concerning because CI/CD pipelines often operate with elevated privileges and can access sensitive environment variables, secrets, and deployment infrastructure.

This discovery adds to growing concerns about security posture in widely-used open-source components and CI/CD automation. Organizations using opentelemetry-js or similar GitHub Actions workflows should review their pipeline configurations for untrusted input handling and ensure proper input sanitization. The getsentry team has been notified of the vulnerability, and further remediation details are expected to be addressed through standard security channels.