reitermarkusOn 18th April 2021, a security researcher identified a vulnerability in our review-cask-pr GitHub Action used on the homebrew-cask and all homebrew-cask-* taps (non-default repositories) in the Homebrew organization and reported it on our HackerOne.
Whenever an affected cask tap received a pull request to change only the version of a cask, the review-cask-pr GitHub Action would automatically review and approve the pull request. The approval would then trigger the automerge GitHub Action which would merge the approved pull request. A proof-of-concept (PoC) pull request demonstrating the vulnerability was submitted with our permission. We subsequently reverted the PoC pull request, disabled and removed the automerge GitHub Action and disabled and removed the review-cask-pr GitHub Action from all vulnerable repositories.
What was impacted
The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.
A single cask was compromised with a harmless change for the duration of the demonstration pull request until its reversal. No action is required by users due to this incident.
What we’re doing about it
- The vulnerable
review-cask-prGitHub Action has been disabled and removed from all repositories. - The
automergeGitHub Action has been disabled and removed from all repositories (in favour of the GitHub built-in functionality that did not exist when this action was created). - We have removed the ability for our bots to commit to
homebrew/cask*repositories. - All
homebrew/cask*pull requests will require a manual review and approval by a maintainer. - We are improving documentation to help onboard new
homebrew/caskmaintainers and training existinghomebrew/coremaintainers to help withhomebrew/cask.
We did, do and will continue to take the security of the project and our users very seriously. We try our best to behave as a for-profit company would do in terms of timely response to security issues.
In order to ensure and improve Homebrew’s security, please consider contributing your code and code reviews to our GitHub projects.
Thanks for using Homebrew!
Latest Posts
-
6.0.0
11 Jun 2026
Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal...
-
5.1.0
10 Mar 2026
Homebrew 5.1.0 has been released. Homebrew’s most significant changes since 5.0.0 are expanded brew bundle support, brew version-install, new -full formula handling an...
-
5.0.0
12 Nov 2025
Today, I’d like to announce Homebrew 5.0.0. The most significant changes since 4.6.0 are download concurrency by default, official support for Linux ARM64/AArch64, tim...
-
4.6.0
05 Aug 2025
Today, I’d like to announce Homebrew 4.6.0. The most significant changes since 4.5.0 are opt-in concurrent downloads with HOMEBREW_DOWNLOAD_CONCURRENCY, preliminary ma...
-
4.5.0
29 Apr 2025
Today, I’d like to announce Homebrew 4.5.0. The most significant changes since 4.4.0 are major improvements to brew bundle/services, preliminary Linux support for cask...