CodeQLEAKED - CodeQL Supply Chain Attack via Exposed Secret
Published Wed, Mar 26th, 2025
Platforms
Summary
A publicly exposed GitHub token in CodeQL workflow artifacts could allow attackers to execute malicious code
in repositories using CodeQL, potentially leading to source code exfiltration, secrets compromise, and supply
chain attacks. The vulnerability stemmed from a debug artifact containing environment variables, which could be
downloaded and exploited within a 1-2 second window.
Affected Services
GitHub CodeQL, GitHub Actions
Remediation
Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.
Monitor for unexpected branch or tag creations in CodeQL-related repositories. Scan workflow artifacts for exposed secrets. Review CodeQL workflow configurations for unsafe tag references.