EXECUTIVE SUMMARY:
A vulnerability in GitHub’s CodeQL actions, tracked as CVE-2025-24362, with a CVSS score of 7.1, could have allowed attackers to execute malicious code across numerous repositories by exploiting a publicly exposed GitHub token in workflow artifacts. Although the token was valid for just over a second, a researcher demonstrated that it could be captured and used to manipulate repositories, including modifying CodeQL workflow tags to inject malicious code. This flaw had widespread implications, enabling attackers to exfiltrate private repository data, steal GitHub Actions secrets, execute code on internal infrastructure, and poison GitHub Actions Cache for persistent compromise. High-profile repositories such as Homebrew, Angular, and Grafana were among those potentially at risk. This incident highlights the critical risks in CI/CD pipelines, emphasizing the need for strict artifact management and token security. Proactive mitigation measures are essential to prevent supply chain attacks in development workflows.
RECOMMENDATION:
REFERENCES:
CodeQLEAKED – GitHub Supply Chain Attack Allows Code Execution Using CodeQL Repositories