critical

CodeQLEAKED - CodeQL Supply Chain Attack via Exposed Secret

Published Wed, Mar 26th, 2025
Platforms

Summary

A publicly exposed GitHub token in CodeQL workflow artifacts could allow attackers to execute malicious code in repositories using CodeQL, potentially leading to source code exfiltration, secrets compromise, and supply chain attacks. The vulnerability stemmed from a debug artifact containing environment variables, which could be downloaded and exploited within a 1-2 second window.

Affected Services

GitHub CodeQL, GitHub Actions

Remediation

Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.

Tracked CVEs

CVE-2025-24362

References

Entry Status
Finalized
Disclosure Date
Wed, Jan 22nd, 2025
Exploitablity Period
Until 2025/01/22
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected branch or tag creations in CodeQL-related repositories. Scan workflow artifacts for exposed secrets. Review CodeQL workflow configurations for unsafe tag references.
Piercing Index Rating
-
Discovered by
John Stawinski, Praetorian