Token Exposure in GitHub Composite Action by Canonical
CVE-2025-31479

8.2HIGH

Key Information:

Vendor
Canonical
Status
Get-workflow-version-action
Vendor
CVE Published:
2 April 2025

Summary

The get-workflow-version-action, a composite action developed by Canonical for GitHub, has a vulnerability that leads to the potential exposure of the GITHUB_TOKEN in plaintext logs. If the action fails, the output may display a truncated version of the token, which can be accessed by anyone who has read access to the repository. This poses a security risk, especially for public repositories where logs are visible to anyone. The vulnerability has been addressed in version 1.0.1, which ensures that tokens are properly handled to prevent unauthorized access.

Affected Version(s)

get-workflow-version-action < 1.0.1

References

https://github.com/canonical/get-workflow-version-action/...
x_refsource_CONFIRM
https://github.com/canonical/get-workflow-version-action/...
x_refsource_MISC
https://github.com/canonical/get-workflow-version-action/...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-31479 : Token Exposure in GitHub Composite Action by Canonical | SecurityVulnerability.io