170 matches found
EUVD-2024-22479
Malicious code in bioql PyPI...
CodeQL zero to hero part 5: Debugging queries
When you're first getting started with CodeQL, you may find yourself in a situation where a query doesn't return the results you expect. Debugging these queries can be tricky, because CodeQL is a Prolog-like language with an evaluation model that's quite different from mainstream languages like...
Adversarial Bug Reports As a Security Risk in Language Model-Based Automated Program Repair
Large Language Model LLM - based Automated Program Repair APR systems are increasingly integrated into modern software development workflows, offering automated patches in response to natural language bug reports. However, this reliance on untrusted user input introduces a novel and underexplored...
How to catch GitHub Actions workflow injections before attackers do
You already know that security is important to keep in mind when creating code and maintaining projects. Odds are, you also know that it's much easier to think about security from the ground up rather than trying to squeeze it in at the end of a project. But did you know that GitHub Actions...
CVE-2025-24362
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...
CVE-2024-25129
The CodeQL CLI repo holds binaries for the CodeQL command line interface CLI. Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously...
CVE-2023-28430
OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues types: closed i.e., when an Issue is closed. The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on...
CVE-2021-32638
Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead ...
CVE-2024-45388
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary...
CVE-2024-28848
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...
MAL-2025-643 Malicious code in codeql-query (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...
Malicious code in codeql-query (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...
GHSA-VQF5-2XX6-9WFM GitHub PAT written to debug artifacts
Impact summary In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to th...
GitHub PAT written to debug artifacts
Impact summary In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to th...
CVE-2025-24362
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...
CVE-2025-24362 CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...
CVE-2025-24362 CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...
CVE-2025-24362
CVE-2025-24362 concerns CodeQL Action when debug artifacts are enabled. In certain failed CodeQL analyses on Java/Kotlin repos, the uploaded debug artifacts could contain environment variables from the workflow run, including secrets such as the GITHUB_TOKEN. The token could be valid for the dura...
CodeQL Action 日志信息泄露漏洞
CodeQL Action is a GitHub open source application. It is used to run CodeQL, GitHub's industry-leading static analysis engine, on repository source code to find security vulnerabilities. A log message disclosure vulnerability exists in CodeQL Action versions prior to 3.28.3, which stems from...
PT-2025-5344 · Github · Codeql Action +1
Name of the Vulnerable Software and Affected Versions: CodeQL Action versions prior to 3.28.3 CodeQL CLI versions prior to 2.20.3 Description: In certain circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain environment variables from t...