CVE-2025-24362: CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts
Description
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. This vulnerability is patched in CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.
For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first.
Environment variables are exposed only from workflow runs that satisfy all of the following conditions:
- Code scanning workflow configured to scan the Java/Kotlin languages.
- Running in a repository containing Kotlin source code.
- Running with debug artifacts enabled.
- Using CodeQL Action versions <= 3.28.2, and CodeQL CLI versions >= 2.9.2 (May 2022) and <= 2.20.2.
- The workflow run fails before the CodeQL database is finalized within the `github/codeql-action/analyze` step.
- Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. Note: artifacts are only accessible to users within...
Classification
CVE ID: CVE-2025-24362
CVSS Base Severity: HIGH
CVSS Base Score: 7.1
Affected Products
Vendor: github
Product: codeql-action
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 12.63% (scored less or equal to compared to others)
EPSS Date: 2025-02-21 (when was this score calculated)
References
https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfmhttps://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m
https://github.com/github/codeql-action/pull/1074
https://github.com/github/codeql-action/pull/2482
https://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa
https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough