CVE-2025-62794

GitHub Workflow Updater stored the optional Github token in plaintext

CVSS 3.8 LOWEPSS 0.1%CWE-522

Vexday Risk Score

8Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 3.8EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

28 out 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Produtos afetados

RichardoC · github-workflow-updater-extension

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/microsoft/vscode-discussions/discussions/748 https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp