CVE-2025-52467 – This vulnerability in the pgai Python library a... (How to Fix)

📋 TL;DR

This vulnerability in the pgai Python library allowed attackers to exfiltrate all secrets used in a workflow, including the GITHUB_TOKEN with write permissions. This enabled attackers to tamper with all aspects of the repository, including pushing arbitrary code and releases. Anyone using vulnerable versions of pgai before commit 8eb3567 is affected.

💻 Affected Systems

Products:

pgai

Versions: All versions prior to commit 8eb3567

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects pgai library when used in workflows with GitHub Actions or similar CI/CD systems.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the repository with ability to push malicious code, modify releases, and potentially inject backdoors into downstream applications.

🟠

Likely Case

Exfiltration of sensitive secrets including GITHUB_TOKEN, leading to unauthorized repository access and potential supply chain attacks.

🟢

If Mitigated

Limited impact if proper secret management and access controls are in place, though some exposure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the workflow execution environment but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 8eb356729c33560ce54b88b9a956960ad1e3ede8

Vendor Advisory: https://github.com/timescale/pgai/security/advisories/GHSA-89qq-hgvp-x37m

Restart Required: No

Instructions:

1. Update pgai to version including commit 8eb3567
2. Run: pip install --upgrade pgai
3. Verify the fix by checking the commit hash in your installation

🔧 Temporary Workarounds

Restrict GitHub Token Permissions

all

Limit GITHUB_TOKEN permissions to read-only for workflows that don't require write access

permissions:
  contents: read
  packages: read

Use Environment Secrets

all

Store sensitive secrets in GitHub environment secrets with restricted access

🧯 If You Can't Patch

Implement strict access controls and monitoring for repository activities
Rotate all exposed secrets including GITHUB_TOKEN and review repository changes

🔍 How to Verify

Check if Vulnerable:

Check if your pgai version includes commit 8eb3567. Vulnerable if using any version before this commit.

Check Version:

pip show pgai | grep Version

Verify Fix Applied:

Verify the installed pgai version includes commit 8eb356729c33560ce54b88b9a956960ad1e3ede8

📡 Detection & Monitoring

Log Indicators:

Unauthorized repository pushes
Unexpected workflow runs
Changes to repository settings

Network Indicators:

Unusual API calls to GitHub from workflow runners

SIEM Query:

source="github_audit" AND (action:"repo.push" OR action:"workflow.run") AND actor NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2025-52467

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-200

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: June 19, 2025

Last Updated: June 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52467, you might also want to check these: