Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-62794

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-28 Oct, 2025 | 20:53
Updated At-29 Oct, 2025 | 17:33
Rejected At-
Credits

GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:28 Oct, 2025 | 20:53
Updated At:29 Oct, 2025 | 17:33
Rejected At:
▼CVE Numbering Authority (CNA)
GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

Affected Products
Vendor
RichardoC
Product
github-workflow-updater-extension
Versions
Affected
  • < 0.0.7
Problem Types
TypeCWE IDDescription
CWECWE-522CWE-522: Insufficiently Protected Credentials
Type: CWE
CWE ID: CWE-522
Description: CWE-522: Insufficiently Protected Credentials
Metrics
VersionBase scoreBase severityVector
3.13.8LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Version: 3.1
Base score: 3.8
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp
x_refsource_CONFIRM
https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f
x_refsource_MISC
https://github.com/microsoft/vscode-discussions/discussions/748
x_refsource_MISC
Hyperlink: https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f
Resource:
x_refsource_MISC
Hyperlink: https://github.com/microsoft/vscode-discussions/discussions/748
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:28 Oct, 2025 | 21:15
Updated At:30 Oct, 2025 | 15:05

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.8LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.8
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-522Primarysecurity-advisories@github.com
CWE ID: CWE-522
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1fsecurity-advisories@github.com
N/A
https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjpsecurity-advisories@github.com
N/A
https://github.com/microsoft/vscode-discussions/discussions/748security-advisories@github.com
N/A
Hyperlink: https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/microsoft/vscode-discussions/discussions/748
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2025-67860
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-3.8||LOW
EPSS-0.01% / 1.26%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 10:33
Updated-25 Feb, 2026 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NeuVector scanner insecurely handles passwords as command arguments

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.

Action-Not Available
Vendor-SUSE
Product-harvester
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-48709
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 2.59%
||
7 Day CHG~0.00%
Published-07 Aug, 2025 | 00:00
Updated-18 Dec, 2025 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BMC Control-M/Server cleartext database credentials in process lists and logs

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

Action-Not Available
Vendor-bmcBMCbmc
Product-control-m\/serverControl-M/Servercontrol-m
CWE ID-CWE-214
Invocation of Process Using Visible Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
Details not found