CVE-2025-62794
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62794, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: GitHub, Inc.

Description

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-07-06
AI Q&A
2025-10-28
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
github github_workflow_updater *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in GitHub Workflow Updater (before version 0.0.7) involves storing any provided GitHub token in plaintext within the editor configuration file on disk, instead of using the more secure "securestorage" API. This means that an attacker with read-only access to the user's home directory could read the token and potentially misuse it.

Impact Analysis

If an attacker gains read-only access to your home directory, they could retrieve the plaintext GitHub token stored by the vulnerable extension. This token could then be used by the attacker to perform actions on your behalf within GitHub, potentially leading to unauthorized access or changes in your repositories or workflows.

Mitigation Strategies

Update the GitHub Workflow Updater VS Code extension to version 0.0.7 or later to ensure that GitHub tokens are stored securely using the securestorage API instead of plaintext in the editor configuration files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart