AI Reverse Engineering Exposes Critical GitHub Vulnerability

Security researchers at Wiz have leveraged an AI‑powered reverse‑engineering engine to uncover a high‑severity flaw in GitHub’s continuous integration infrastructure that would have been prohibitively expensive to discover using traditional manual analysis. The AI tool, a purpose‑built large‑language model fine‑tuned on binary disassembly and source‑code patterns, automatically decompiled and analyzed the GitHub Actions runner binary, rapidly identifying anomalous behavior in the artifact upload module.

The identified vulnerability stems from insufficient path sanitization in the runner’s artifact handling code. When a workflow uploads an artifact, the service constructs a file‑system path based on user‑controlled input without properly validating traversal sequences. This allows an attacker who can control the artifact name to inject path‑traversal characters (e.g., "../../"), overwriting arbitrary files on the runner’s host. In a worst‑case scenario, the attacker could replace a privileged system binary or inject a malicious hook, achieving arbitrary code execution with the same privileges as the runner process. The flaw was assigned a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Wiz responsibly disclosed the issue to GitHub’s security team through the company’s public bug‑bounty program. GitHub confirmed the finding, reproduced the attack, and released a patch within 72 hours that introduces strict validation of artifact paths, enforcing alphanumeric characters and disallowing path separators. The patch also implements a temporary isolation layer that sandboxes artifact processing, preventing cross‑directory writes even if validation is bypassed. Organizations using GitHub Actions are urged to update their runners to the latest version (runner‑2.319.0 or later) and to review workflow definitions for any reliance on untrusted artifact names.

The discovery underscores how AI‑driven reverse‑engineering can slash the cost and time required to find complex vulnerabilities in large codebases. Wiz’s research team noted that the AI tool processed the multi‑million‑line runner binary in under two hours, a task that historically would have taken a skilled reverse engineer weeks. As AI security tooling matures, experts anticipate a shift in the threat landscape—more zero‑day vulnerabilities may surface faster, prompting organizations to adopt automated patching pipelines and tighter integration between development and security operations.