CVE-2025-15617
GitHub Token Exposure in Wazuh 4.12.0 Artifacts Allows Unauthorized Actions
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | 4.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15617 is a vulnerability in Wazuh version 4.12.0 related to the exposure of the GITHUB_TOKEN within GitHub Actions workflow artifacts.
During the CI/CD process, the workflow uploads artifacts that include a zip archive of the working directory. This archive inadvertently contains the .git/config file, which holds the GITHUB_TOKEN for that workflow run.
Attackers can extract this token from the uploaded artifacts within a limited time window before the workflow completes.
The exposed token allows attackers to perform unauthorized actions such as pushing malicious commits or altering release tags in the repository.
This vulnerability is classified under CWE-522 (Insufficiently Protected Credentials), highlighting the risk of leaking sensitive authentication credentials through insecure artifact handling.
How can this vulnerability impact me? :
If exploited, this vulnerability allows attackers to obtain the GITHUB_TOKEN used in the workflow, enabling them to perform unauthorized actions on the repository.
- Push malicious commits directly to the master branch.
- Modify release tags to point to compromised or malicious code.
Such unauthorized changes can compromise the integrity of the codebase and affect all downstream users relying on the repository.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the uploaded GitHub Actions workflow artifacts for the presence of sensitive files such as the .git/config file, which contains the GITHUB_TOKEN.
You can check the artifacts uploaded during workflow runs to see if they include the .git/config file or any files that might contain the GITHUB_TOKEN.
Since the token is embedded in the .git/config file inside the artifact zip archive, you can download the artifact and extract it to look for this file.
- Use GitHub CLI or API to list and download workflow artifacts: `gh run artifacts` and `gh run download <artifact_id>`
- Extract the downloaded artifact (usually a zip file) and inspect for `.git/config` file: `unzip artifact.zip` and `cat .git/config`
- Search for the presence of the GITHUB_TOKEN string inside the extracted files: `grep -r GITHUB_TOKEN ./`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to restrict the files uploaded as artifacts in the GitHub Actions workflows to exclude sensitive files such as `.git/config` and environment variables that contain the GITHUB_TOKEN.
Modify the workflow files to explicitly exclude `.git/config` from the artifact upload process to prevent token leakage.
Review and update the `actions/upload-artifact@v4` usage in the workflow to only include necessary files and avoid uploading the entire working directory.
Since no patched versions are currently available, these configuration changes are critical to reduce the risk of token exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves exposure of the GITHUB_TOKEN, which is a sensitive credential used for authentication in automated workflows. This exposure can lead to unauthorized actions such as pushing malicious commits or altering release tags.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of sensitive credentials can potentially lead to unauthorized access or modification of code repositories, which may indirectly affect compliance with security requirements in these regulations.
Specifically, CWE-522 (Insufficiently Protected Credentials) classification highlights the risk of insecure handling of authentication credentials, which is generally against best practices required by many security standards and regulations.
Therefore, organizations using affected versions of Wazuh should consider this vulnerability as a risk to their secure development lifecycle and compliance posture, especially if their workflows involve sensitive or regulated data.