CVE-2025-62794

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-62794

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62794.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62794

Aliases

GHSA-679x-97jw-8vjp

Published

2025-10-28T20:53:14.167Z

Modified

2026-04-02T12:59:18.480851Z

Severity

3.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

GitHub Workflow Updater stored the optional Github token in plaintext

Details

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

Database specific

{
    "cwe_ids": [
        "CWE-522"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62794.json"
}

References

Affected packages

Git / github.com/RichardoC/github-workflow-updater-extension

Affected ranges

Type

GIT

Repo

https://github.com/RichardoC/github-workflow-updater-extension

Events

Introduced

Fixed

b9518c38ac6bc2a9fda2242e6daef17f7184ad1f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.7"
        }
    ]
}

Type: GIT
Repo: https://github.com/richardoc/github-workflow-updater-extension
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b9518c38ac6bc2a9fda2242e6daef17f7184ad1f

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62794.json"