CodeQLEAKED - CodeQL Supply Chain Attack via Exposed Secret
Published Wed, Mar 26th, 2025
Platforms
Summary
A publicly exposed GitHub token in CodeQL workflow artifacts could allow attackers to execute malicious code in repositories using CodeQL, potentially leading to source code exfiltration, secrets compromise, and supply chain attacks. The vulnerability stemmed from a debug artifact containing environment variables, which could be downloaded and exploited within a 1-2 second window.
Affected Services
GitHub CodeQL, GitHub Actions
Remediation
Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.
Tracked CVEs
CVE-2025-24362
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Wed, Jan 22nd, 2025
Exploitability Period
Until 2025/01/22
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected branch or tag creations in CodeQL-related repositories. Scan workflow artifacts for exposed secrets. Review CodeQL workflow configurations for unsafe tag references.
Piercing Index Rating
-
Discovered by
John Stawinski, Praetorian
