A recently discovered security vulnerability in GitHub CodeQL has exposed a potential supply chain attack vector that could have affected hundreds of thousands of repositories. The vulnerability, tracked as CVE-2025-24362, stemmed from a publicly exposed secret that was valid for approximately 1.022 seconds.
During this brief window, attackers could potentially execute malicious code within GitHub Actions workflows in repositories using CodeQL, GitHub's widely-trusted code analysis engine. The impact extended to both public GitHub Cloud and GitHub Enterprise environments.
The vulnerability was uncovered in January 2025 during a research project focused on scanning GitHub Actions workflow artifacts for exposed secrets. A security researcher identified a GitHub App installation token in a crash report within the github/codeql-action repository.
The exposed token had full write privileges, including the ability to create branches, trigger workflow events, and upload packages. While the token's extremely short validity period of just over 1 second presented a challenge, researchers demonstrated that it was enough time to execute malicious actions.
The potential impact of this vulnerability included:
- Exfiltration of source code from private repositories using CodeQL
- Theft of credentials stored in GitHub Actions secrets
- Code execution on internal infrastructure running CodeQL workflows
- Compromise of GitHub Actions cache systems
The vulnerability was particularly concerning because it could affect any repository using CodeQL's default configuration. When CodeQL is enabled in a repository, it executes actions from the github/codeql-action repository using specific version tags. An attacker could potentially override these tags to distribute malicious code across all repositories using CodeQL.
GitHub's security team responded swiftly to the disclosure, implementing fixes within three hours of the initial report. The company has stated they found no evidence of compromise to their platform or systems.
Organizations using GitHub Actions are advised to:
- Upload only specific files as workflow artifacts
- Avoid uploading artifacts with environment variables
- Restrict GITHUB_TOKEN permissions
- Implement artifact scanning before upload
The discovery highlights the growing importance of securing CI/CD pipelines and the potential widespread impact of supply chain attacks through development tools.