CVE-2025-62794
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: GitHub, Inc.

Description
GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
github github_workflow_updater *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in GitHub Workflow Updater (before version 0.0.7) involves storing any provided GitHub token in plaintext within the editor configuration file on disk, instead of using the more secure "securestorage" API. This means that an attacker with read-only access to the user's home directory could read the token and potentially misuse it.

Impact Analysis

If an attacker gains read-only access to your home directory, they could retrieve the plaintext GitHub token stored by the vulnerable extension. This token could then be used by the attacker to perform actions on your behalf within GitHub, potentially leading to unauthorized access or changes in your repositories or workflows.

Mitigation Strategies

Update the GitHub Workflow Updater VS Code extension to version 0.0.7 or later to ensure that GitHub tokens are stored securely using the securestorage API instead of plaintext in the editor configuration files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart