CVE-2025-46820

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394
https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4

Configurations

No configuration.

History

07 May 2025, 14:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-06 19:16

Updated : 2025-05-07 14:13

NVD link : CVE-2025-46820

Mitre link : CVE-2025-46820

CVE.ORG link : CVE-2025-46820

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-312

Cleartext Storage of Sensitive Information

CWE-522

Insufficiently Protected Credentials

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

{"id": "CVE-2025-46820", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.6}]}, "published": "2025-05-06T19:16:00.223", "references": [{"url": "https://github.com/phpgt/Dom/commit/205cddcc82c002dfa48e874494efbf4c49497394", "source": "security-advisories@github.com"}, {"url": "https://github.com/phpgt/Dom/security/advisories/GHSA-cwj7-6v67-2cm4", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-538"}]}], "descriptions": [{"lang": "en", "value": "phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue."}, {"lang": "es", "value": "phpgt/Dom proporciona acceso a las API modernas de DOM. Las versiones de phpgt/Dom anteriores a la 4.1.8 exponen el token GITHUB_TOKEN en el artefacto de ejecuci\u00f3n del flujo de trabajo de Dom. El archivo de flujo de trabajo ci.yml utiliza actions/upload-artifact@v4 para cargar el artefacto de compilaci\u00f3n. Este artefacto es un archivo zip del directorio actual, que incluye el archivo .git/config generado autom\u00e1ticamente que contiene el token GITHUB_TOKEN de la ejecuci\u00f3n. Dado que el artefacto se puede descargar antes de que finalice el flujo de trabajo, un atacante puede extraer el token del artefacto durante unos segundos y usarlo con la API de GitHub para enviar c\u00f3digo malicioso o reescribir las confirmaciones de versiones en el repositorio. Cualquier usuario intermedio del repositorio puede verse afectado, pero el token solo deber\u00eda ser v\u00e1lido mientras dure la ejecuci\u00f3n del flujo de trabajo, lo que limita el tiempo de explotaci\u00f3n. La versi\u00f3n 4.1.8 soluciona el problema."}], "lastModified": "2025-05-07T14:13:20.483", "sourceIdentifier": "security-advisories@github.com"}