CVE-2024-52009 – CVE-2024-52009 is a critical vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2024-52009?

CVE-2024-52009 has a CVSS score of 9.8 (CRITICAL). CVE-2024-52009 is a critical vulnerability in Atlantis that logs GitHub access tokens during rotation, exposing them to anyone with log read access. This allows attackers to impersonate Atlantis and perform unauthorized GitHub actions, potentially gaining administrative privileges in GitHub organizations. All Atlantis users with GitHub integration are affected.

📋 TL;DR

CVE-2024-52009 is a critical vulnerability in Atlantis that logs GitHub access tokens during rotation, exposing them to anyone with log read access. This allows attackers to impersonate Atlantis and perform unauthorized GitHub actions, potentially gaining administrative privileges in GitHub organizations. All Atlantis users with GitHub integration are affected.

💻 Affected Systems

Products:

Atlantis

Versions: All versions before v0.30.0

Operating Systems: All operating systems running Atlantis

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using GitHub integration where token rotation occurs. The vulnerability is present in default logging behavior.

📦 What is this software?

Atlantis by Runatlantis

View all CVEs affecting Atlantis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub organization with administrative privileges, enabling code manipulation, repository deletion, user management, and supply chain attacks.

🟠

Likely Case

Unauthorized access to GitHub repositories, code exfiltration, privilege escalation within the organization, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if logs are properly secured with strict access controls, monitoring, and regular rotation of exposed credentials.

🌐 Internet-Facing: MEDIUM - While the vulnerability itself doesn't require internet exposure, internet-facing Atlantis instances increase attack surface for log access.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts with log access can exploit this to gain GitHub organization privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Atlantis logs containing rotated GitHub tokens. No authentication bypass needed if logs are accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.30.0

Vendor Advisory: https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp

Restart Required: Yes

Instructions:

1. Backup current Atlantis configuration and data. 2. Stop Atlantis service. 3. Upgrade to Atlantis v0.30.0 or later. 4. Restart Atlantis service. 5. Verify logs no longer contain GitHub tokens.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability. Upgrading is the only solution.

🧯 If You Can't Patch

Implement strict access controls on Atlantis log files and directories (minimum privilege principle)
Rotate all exposed GitHub tokens immediately and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check Atlantis version: if version is below v0.30.0, the system is vulnerable. Also check logs for presence of 'ghs_' tokens.

Check Version:

atlantis version

Verify Fix Applied:

After upgrading to v0.30.0+, verify that GitHub tokens no longer appear in logs during rotation. Check version confirms v0.30.0 or higher.

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'ghs_' GitHub tokens
Unexpected GitHub API calls from Atlantis IP
Failed authentication attempts with rotated tokens

Network Indicators:

Unusual GitHub API traffic patterns from Atlantis instance
GitHub token usage from unexpected locations

SIEM Query:

source="atlantis.log" AND "ghs_"

📊 Metadata

CVE ID: CVE-2024-52009

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Published: November 8, 2024

Last Updated: September 29, 2025

🔗 References

https://argo-cd.readthedocs.io/en/stable/operator-manual/security Technical Description
https://github.com/runatlantis/atlantis/issues/4060 Issue Tracking
https://github.com/runatlantis/atlantis/pull/4667 Issue Tracking
https://github.com/runatlantis/atlantis/releases/tag/v0.30.0 Release Notes
https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52009, you might also want to check these: