Sensitive Credential Exposure in HL7 FHIR IG Publisher Tool
CVE-2025-24363

4.2MEDIUM

Key Information:

Vendor: Hl7
Status: Fhir-ig-publisher
Vendor: CVE Published:; 24 January 2025

What is CVE-2025-24363?

The HL7 FHIR IG Publisher tool, used to create standard FHIR Implementation Guides (IGs), has a vulnerability where it may expose sensitive credentials. In versions prior to 1.8.9, the IG Publisher CLI utilizes git commands to identify the originating repository URL. If the repository is set to a username and credential-based URL, this information becomes part of the built Implementation Guide, potentially exposing usernames and passwords. This vulnerability does not affect users cloning public repositories. Users are advised to verify their IG repository configurations to ensure no sensitive information is included in the origin URL. The issue was resolved in version 1.8.9, and users are encouraged to adopt the patch and utilize workarounds, such as specifying a secure URL using the -repo parameter.

Affected Version(s)

fhir-ig-publisher < 1.8.9

References

https://github.com/HL7/fhir-ig-publisher/security/advisor...

x_refsource_CONFIRM

https://github.com/HL7/fhir-ig-publisher/commit/d968694b7...

x_refsource_MISC

https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 20, 2025

Hl7

What is CVE-2025-24363?

Affected Version(s)

References

CVSS V3.1

Timeline