Token Exposure in GitHub Composite Action by Canonical
CVE-2025-31479
8.2HIGH
Summary
The get-workflow-version-action, a composite action developed by Canonical for GitHub, has a vulnerability that leads to the potential exposure of the GITHUB_TOKEN in plaintext logs. If the action fails, the output may display a truncated version of the token, which can be accessed by anyone who has read access to the repository. This poses a security risk, especially for public repositories where logs are visible to anyone. The vulnerability has been addressed in version 1.0.1, which ensures that tokens are properly handled to prevent unauthorized access.
Affected Version(s)
get-workflow-version-action < 1.0.1
References
CVSS V3.1
Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved