CVE-2025-32958
📋 TL;DR
This vulnerability in Adept programming language's GitHub workflow exposes the GITHUB_TOKEN in uploaded artifacts, allowing attackers to extract it and push malicious code or rewrite commits in the AdeptLanguage/Adept repository. It affects users of Adept versions prior to the patched commit. The exposure window is brief but critical.
💻 Affected Systems
- Adept programming language
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains write access to the Adept repository, pushes malicious code, rewrites release commits, potentially compromising downstream users and supply chain.
Likely Case
Attacker extracts token and pushes unauthorized commits or modifies existing code in the repository.
If Mitigated
Token exposure prevented, no unauthorized repository access possible.
🎯 Exploit Status
Exploitation requires monitoring artifact uploads and quick token extraction within seconds.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit a1a41b7
Vendor Advisory: https://github.com/AdeptLanguage/Adept/security/advisories/GHSA-8c7v-vccv-cx4q
Restart Required: No
Instructions:
1. Update to commit a1a41b7 or later. 2. Ensure remoteBuild.yml workflow excludes .git/config from artifacts. 3. Rotate any potentially exposed GITHUB_TOKENs.
🔧 Temporary Workarounds
Disable artifact upload
allTemporarily disable upload-artifact action in remoteBuild.yml
# Comment out or remove the upload-artifact step in .github/workflows/remoteBuild.yml
Exclude .git directory
allModify workflow to exclude .git/config from artifact
# In upload-artifact step, add: exclude: '.git/**'
🧯 If You Can't Patch
- Monitor repository for unauthorized commits and push activity
- Implement stricter branch protection rules and require reviews for all pushes
🔍 How to Verify
Check if Vulnerable:
Check if remoteBuild.yml uses upload-artifact@v4 without excluding .git/config, and if commit is before a1a41b7.Check Version:
git log --oneline -1Verify Fix Applied:
Verify remoteBuild.yml excludes .git/config and commit is a1a41b7 or later.📡 Detection & Monitoring
Log Indicators:
- Unauthorized pushes to Adept repository
- Artifact downloads during workflow execution
Network Indicators:
- API calls to GitHub from unexpected sources using repository tokens
SIEM Query:
source="github" AND (event="push" OR event="workflow_run") AND actor NOT IN allowed_users