CVE-2025-46820 (GCVE-0-2025-46820)

Vulnerability from cvelistv5 – Published: 2025-05-06 18:48 – Updated: 2025-05-06 19:02
VLAI?
Title
phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact
Summary
phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.
Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-312 - Cleartext Storage of Sensitive Information
  • CWE-522 - Insufficiently Protected Credentials
  • CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
Impacted products
Vendor Product Version
phpgt Dom Affected: < 4.1.8
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46820",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T19:01:15.686908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T19:02:09.024Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Dom",
          "vendor": "phpgt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run\u0027s GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312: Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-538",
              "description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-06T18:48:52.176Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4"
        },
        {
          "name": "https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394"
        }
      ],
      "source": {
        "advisory": "GHSA-cwj7-6v67-2cm4",
        "discovery": "UNKNOWN"
      },
      "title": "phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46820",
    "datePublished": "2025-05-06T18:48:52.176Z",
    "dateReserved": "2025-04-30T19:41:58.134Z",
    "dateUpdated": "2025-05-06T19:02:09.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46820\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-06T19:16:00.223\",\"lastModified\":\"2025-05-07T14:13:20.483\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run\u0027s GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"phpgt/Dom proporciona acceso a las API modernas de DOM. Las versiones de phpgt/Dom anteriores a la 4.1.8 exponen el token GITHUB_TOKEN en el artefacto de ejecuci\u00f3n del flujo de trabajo de Dom. El archivo de flujo de trabajo ci.yml utiliza actions/upload-artifact@v4 para cargar el artefacto de compilaci\u00f3n. Este artefacto es un archivo zip del directorio actual, que incluye el archivo .git/config generado autom\u00e1ticamente que contiene el token GITHUB_TOKEN de la ejecuci\u00f3n. Dado que el artefacto se puede descargar antes de que finalice el flujo de trabajo, un atacante puede extraer el token del artefacto durante unos segundos y usarlo con la API de GitHub para enviar c\u00f3digo malicioso o reescribir las confirmaciones de versiones en el repositorio. Cualquier usuario intermedio del repositorio puede verse afectado, pero el token solo deber\u00eda ser v\u00e1lido mientras dure la ejecuci\u00f3n del flujo de trabajo, lo que limita el tiempo de explotaci\u00f3n. La versi\u00f3n 4.1.8 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-312\"},{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-538\"}]}],\"references\":[{\"url\":\"https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46820\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T19:01:15.686908Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T19:01:31.707Z\"}}], \"cna\": {\"title\": \"phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact\", \"source\": {\"advisory\": \"GHSA-cwj7-6v67-2cm4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"phpgt\", \"product\": \"Dom\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.1.8\"}]}], \"references\": [{\"url\": \"https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4\", \"name\": \"https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394\", \"name\": \"https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run\u0027s GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312: Cleartext Storage of Sensitive Information\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522: Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-538\", \"description\": \"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-06T18:48:52.176Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-46820\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-06T19:02:09.024Z\", \"dateReserved\": \"2025-04-30T19:41:58.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-06T18:48:52.176Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.