What is CVE-2025-24362?

CVE-2025-24362 is a vulnerability in Github Codeql-action, classified under Insertion of Sensitive Information into Log File. Published 2025-01-24.

Is CVE-2025-24362 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Github Codeql-action

CVE-2025-24362

In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to…

EPSS: 0.003 (53.0th percentile) — read the EPSS interpretation.

Affected products

Github Codeql-action — versions >= 3.26.11, <= 3.28.2, >= 2.26.11, < 3

Weakness classification (CWE)

CWE-532 — Insertion of Sensitive Information into Log File

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm (x_refsource_CONFIRM)
https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m (x_refsource_MISC)
https://github.com/github/codeql-action/pull/1074 (x_refsource_MISC)
https://github.com/github/codeql-action/pull/2482 (x_refsource_MISC)
https://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa (x_refsource_MISC)
https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-24362?: CVE-2025-24362 is a vulnerability in Github Codeql-action, classified under Insertion of Sensitive Information into Log File. Published 2025-01-24.
Is CVE-2025-24362 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.