CVE-2025-32953
📋 TL;DR
This vulnerability in z80pack's GitHub Actions workflow exposes the repository's GITHUB_TOKEN in publicly accessible build artifacts. Attackers who download the artifact during a brief window can extract the token and use it to push malicious code or modify releases. Only users running z80pack version 1.38 or earlier from affected GitHub workflows are impacted.
💻 Affected Systems
- z80pack
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains write access to the repository, allowing them to push malicious commits, modify releases, or inject backdoors into the codebase.
Likely Case
Unauthorized code modifications or release tampering if an attacker monitors workflow runs and downloads artifacts during the vulnerable window.
If Mitigated
No impact if the workflow is fixed or artifacts are not publicly accessible.
🎯 Exploit Status
Exploitation requires monitoring GitHub Actions runs and downloading artifacts during the brief exposure window.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit bd95916
Vendor Advisory: https://github.com/udo-munk/z80pack/security/advisories/GHSA-gpjj-f76m-9x3q
Restart Required: No
Instructions:
1. Update to the latest z80pack version. 2. Ensure GitHub Actions workflows exclude .git/config from artifacts. 3. Review and rotate any exposed GITHUB_TOKENs.
🔧 Temporary Workarounds
Modify GitHub Actions Workflow
allUpdate the workflow to exclude .git/config from uploaded artifacts or use artifact retention policies.
Modify makefile-ubuntu.yml to add: paths: - '!**/.git/config'
🧯 If You Can't Patch
- Disable the vulnerable GitHub Actions workflow or make artifacts private.
- Implement strict monitoring for unauthorized repository changes and rotate GITHUB_TOKENs regularly.
🔍 How to Verify
Check if Vulnerable:
Inspect the makefile-ubuntu.yml workflow file for use of actions/upload-artifact@v4 without excluding .git/config.Check Version:
Check the repository commit history for inclusion of commit bd95916.Verify Fix Applied:
Confirm the workflow no longer includes .git/config in artifacts and uses updated artifact upload practices.📡 Detection & Monitoring
Log Indicators:
- Unauthorized commits or pushes in GitHub audit logs
- Unexpected artifact downloads from GitHub Actions
Network Indicators:
- Unusual API calls to GitHub from unexpected IPs using repository tokens
SIEM Query:
source="github" AND (event="push" OR event="release") AND actor NOT IN [expected_users]🔗 References
- https://github.com/udo-munk/z80pack/commit/1e06c2fe498ca772002b5c4f6f9e3085061e47da
- https://github.com/udo-munk/z80pack/commit/836c2e37b54f86bb4bed9e1406b67e52aa52308d
- https://github.com/udo-munk/z80pack/commit/95535987d690bd20849fbf143f267283f0e2db91
- https://github.com/udo-munk/z80pack/commit/bd9591615ae7b1e6229aa60a485447441c4a0c15
- https://github.com/udo-munk/z80pack/security/advisories/GHSA-gpjj-f76m-9x3q
