CVE-2025-62794
BaseFortify
Publication date: 2025-10-28
Last updated on: 2025-10-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | github_workflow_updater | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in GitHub Workflow Updater (before version 0.0.7) involves storing any provided GitHub token in plaintext within the editor configuration file on disk, instead of using the more secure "securestorage" API. This means that an attacker with read-only access to the user's home directory could read the token and potentially misuse it.
How can this vulnerability impact me? :
If an attacker gains read-only access to your home directory, they could retrieve the plaintext GitHub token stored by the vulnerable extension. This token could then be used by the attacker to perform actions on your behalf within GitHub, potentially leading to unauthorized access or changes in your repositories or workflows.
What immediate steps should I take to mitigate this vulnerability?
Update the GitHub Workflow Updater VS Code extension to version 0.0.7 or later to ensure that GitHub tokens are stored securely using the securestorage API instead of plaintext in the editor configuration files.