CVE-2025-53104: Command injection via GitHub Actions workflow in gluestack-ui

CVE-2025-53104 is a critical command injection vulnerability discovered by the Sysdig Threat Research Team (TRT) in the GitHub repository gluestack/gluestack-ui, which is used for building React and React Native applications. This vulnerability, with a CVSS v3.1 base score of 9.1, allows attackers to execute arbitrary commands on the GitHub Actions runner by exploiting insecure handling of user-controlled inputs in the discussion-to-slack.yml workflow. This can lead to secret exfiltration and unauthorized modifications of repository content, potentially compromising NPM packages in a supply chain attack. The vulnerability was addressed with a patch released on June 13, 2025, emphasizing the importance of secure input handling and validation in GitHub Actions to prevent such threats.