Summary
A publicly exposed GitHub token in CodeQL workflow artifacts could allow attackers to execute malicious code
in repositories using CodeQL, potentially leading to source code exfiltration, secrets compromise, and supply
chain attacks. The vulnerability stemmed from a debug artifact containing environment variables, which could be
downloaded and exploited within a 1-2 second window.
Affected Services
GitHub CodeQL, GitHub Actions
Remediation
Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.
Tracked CVEs
CVE-2025-24362
References
https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/https://github.com/advisories/GHSA-vqf5-2xx6-9wfm
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Wed, Jan 22nd, 2025
Exploitablity Period
Until 2025/01/22
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected branch or tag creations in CodeQL-related repositories. Scan workflow artifacts for exposed secrets. Review CodeQL workflow configurations for unsafe tag references.
Piercing Index Rating
-
Discovered by
John Stawinski, Praetorian
