Back to Vulnerability List

github: CodeQLEAKED: github/codeql-action Uploaded GITHUB_TOKEN in Debug Artifacts

CVE-2025-24362 High Published

CVSS

7.1 High

EPSS

0.00324 0.3% chance of exploit in 30d

CWE

CWE-532 Insertion of Sensitive Information into Log File

Vector

—

Summary

Per GHSA-vqf5-2xx6-9wfm: “In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid GITHUB_TOKEN for the workflow run, which has access to the repository in which the workflow [ran].”

Affected Packages / Versions

Package: github/codeql-action (GitHub Actions)
Latest published version at triage time: Per GHSA-vqf5-2xx6-9wfm
Affected range: Per GHSA-vqf5-2xx6-9wfm: actions/github/codeql-action versions >= 3.26.11 and <= 3.28.2, plus the v2 line >= 2.26.11 < 3.0.0.
Patched version: Per GHSA: see fix commit 519de26711ecad48bde264c51e414658a82ef3fa and PR #2482

Impact

Per Praetorian’s blog: “In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by hundreds of thousands of repositories.” Praetorian’s blog enumerates four outcomes: source-code exfiltration of private repositories using CodeQL, theft of GitHub Actions secrets used by workflows that integrate CodeQL, code execution on internal infrastructure running CodeQL workflows, and compromise of GitHub Actions Cache secrets. Praetorian also notes: “Per GitHub’s advisory, they have found no evidence of compromise to its platform or systems.”

Severity Rationale

GHSA severity: HIGH. NVD CVSS 7.1 (High). The score reflects the access-control weakness: leaked artifacts were available only to repository readers, not the public, but the secrets that could leak via this path can themselves enable supply-chain compromise.

Fix

Per GHSA: upgrade github/codeql-action past 3.28.2 (and past the v2 patched version). Fix commit 519de26711ecad48bde264c51e414658a82ef3fa via PR #2482.

Disclosure timeline

TBDReported to vendor
TBDPatch released (github/codeql-action update)
Jan 24, 2025GHSA-vqf5-2xx6-9wfm published / Praetorian disclosure

Fix Commit(s)

References

Discovered by Praetorian Labs (CodeQLEAKED) — researcher named in cve-research listing · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian