I got the same running it inside a container, but got a shell when running it directly in the host. This only shows that the exploit doesn't work inside a container. So, containers aren't vulnerable, or the script needs some adjustments to make it work in containers.
It's also interesting that they will no longer offer a commercial self-hosted solution.
> As a part of this shift, we are offering a new self-hosted repo that makes it easy to run Codecov in a minimal docker-compose based setup for proof-of-concept and small volume deployments. We are end-of-lifing our commercial self-hosted offering, but will continue to provide support to existing customers who are running Codecov on-prem.