CVE-2025-32111
📋 TL;DR
This CVE describes a GitHub Actions workflow vulnerability in acme.sh Docker images where the checkout action lacks 'persist-credentials: false', potentially exposing GitHub tokens. This affects users who build or run Docker images from acme.sh repositories before the fix. The vulnerability could allow attackers to access sensitive credentials during CI/CD pipeline execution.
💻 Affected Systems
- acme.sh Docker images
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to GitHub repository secrets, potentially compromising the entire repository, stealing source code, and using credentials for lateral movement.
Likely Case
Unauthorized access to repository contents and potential credential theft if malicious code is introduced into the workflow.
If Mitigated
Minimal impact with proper credential management and workflow security practices in place.
🎯 Exploit Status
Exploitation requires access to modify or inject malicious steps into GitHub Actions workflows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 40b6db6a2715628aa977ed1853fe5256704010ae and later
Vendor Advisory: https://github.com/acmesh-official/acme.sh/commit/40b6db6a2715628aa977ed1853fe5256704010ae
Restart Required: No
Instructions:
1. Update to acme.sh commit 40b6db6 or later
2. Rebuild Docker images using the updated workflow
3. Replace any existing vulnerable Docker images with patched versions
🔧 Temporary Workarounds
Manual workflow modification
allAdd 'persist-credentials: false' to actions/checkout steps in .github/workflows/dockerhub.yml
Edit .github/workflows/dockerhub.yml and ensure all checkout actions include:
- uses: actions/checkout@v3
with:
persist-credentials: false
🧯 If You Can't Patch
- Disable automatic Docker image builds from GitHub Actions
- Implement strict access controls and monitoring for CI/CD pipeline activities
🔍 How to Verify
Check if Vulnerable:
Inspect .github/workflows/dockerhub.yml for missing 'persist-credentials: false' in checkout actionsCheck Version:
git log --oneline | grep -i '40b6db6' || docker inspect <image> | grep -i versionVerify Fix Applied:
Confirm the workflow file includes 'persist-credentials: false' for all checkout actions📡 Detection & Monitoring
Log Indicators:
- Unexpected GitHub token usage in CI/CD logs
- Unauthorized repository access attempts
Network Indicators:
- Unusual outbound connections from CI/CD systems to GitHub API
SIEM Query:
source="github-actions" AND (event="workflow_run" OR event="repository_dispatch") AND token_usage="unexpected"