GitHub Actions setup-php, OAuth Token Exposure, GHSA-f9f8-rm49-7jv2 (Critical)

Listen to this Post

How the mentioned CVE works (approximately 20 lines):

  1. The vulnerability exists in Composer’s github-oauth authentication validation logic.
  2. It affects GitHub Actions workflows using `shivammathur/setup-php` to pin an exact, vulnerable Composer version (e.g., composer:2.9.7).
  3. When Composer attempts to authenticate with GitHub’s API, it validates the OAuth token format.
  4. GitHub recently introduced a newer token format that includes hyphens (e.g., ghp_xxxx-xxxx).
  5. Older Composer versions (2.9.7, 2.2.x before 2.2.28, 1.x before 1.10.28) do not recognize the hyphenated format.
  6. Upon encountering a hyphenated token, Composer rejects the token and generates an error message.
  7. The error message inadvertently prints the full GitHub OAuth token in plaintext.
    8. `setup-php` passes the GitHub runner’s `GITHUB_TOKEN` (or a user-supplied token) to Composer for `github-oauth` auth.
  8. The exposed token then appears in the runner’s logs if Composer outputs the error.
  9. Public repositories make those logs accessible to anyone, leaking the token.
  10. For private repositories, logs are visible to users with read access, but the token may still be exposed.
  11. The leak is not caused by `setup-php` directly printing the token, but by Composer’s error handling.
  12. Workflows using the default Composer version (composer:v2 or unpinned) are safe because the URLs were updated to patched releases.
  13. Affected workflows are those that explicitly pin a vulnerable Composer version (e.g., tools: composer:2.9.7).
  14. The `GITHUB_TOKEN` in GitHub-hosted runners expires after the job, reducing but not eliminating risk.
  15. Longer-lived tokens (GitHub App tokens, personal access tokens) remain exposed for their full lifetime.
  16. An attacker with the leaked token can clone repositories, push code, or trigger workflows depending on token permissions.
  17. The patch in `setup-php` 2.37.1 skips GitHub OAuth generation for pinned Composer versions affected by GHSA-f9f8-rm49-7jv2.
  18. It preserves other Composer authentication (e.g., Packagist) to avoid breaking changes.
  19. Patched Composer versions (2.9.8, 2.2.28, 1.10.28+) fix the token printing behavior in Composer itself.

dailycve form:

Platform: GitHub Actions
Version: setup-php <2.37.1
Vulnerability: Token log exposure
Severity: Critical
date: 2025-02-10

Prediction: Already patched (2.37.1)

Analytics under What Undercode Say:

Check pinned Composer version in workflow
grep -r "composer:" .github/workflows/
Find vulnerable exact pins (e.g., 2.9.7)
grep -E "composer:[0-9]+.[0-9]+.[0-9]+" .github/workflows/.yml
Update setup-php action to patched version
In your workflow YAML:
- name: Setup PHP
uses: shivammathur/[email protected] or newer
with:
php-version: '8.2'
tools: composer:v2 avoid pinning vulnerable versions
Alternative: pin a patched Composer version
tools: composer:2.9.8
Simulate token leak (do not run on real repos)
composer config --global github-oauth.github.com ghp_invalid-hyphen-token
composer validate 2>&1 | grep -i token

Exploit:

  1. Identify a public GitHub Actions workflow that pins `composer:2.9.7` using setup-php.
  2. Inspect the workflow’s run logs for the step where Composer validates GitHub OAuth.
  3. Look for an error message containing ghp_, gho_, or `github_pat_` – that is the leaked token.
  4. Use the token with GitHub API to clone repositories, create issues, or push code as the token owner.
  5. If the token is a GITHUB_TOKEN, it expires after the job but may still allow actions during the remaining minutes.
  6. For longer-lived tokens (PATs or GitHub App tokens), the attacker retains persistent access.

Protection from this CVE:

  • Upgrade `shivammathur/setup-php` to v2.37.1 or newer immediately.
  • If you must pin Composer, use patched versions: 2.9.8, 2.2.28, 1.10.28, or any later release.
  • Avoid pinning vulnerable exact versions like `composer:2.9.7` unless you have automated update mechanisms.
  • Rotate any tokens that may have been exposed in logs (check historical workflow runs).
  • Set workflow log retention to minimal and disable public logging for sensitive repositories.
  • Scan past logs for token patterns using GitHub’s secret scanning or custom grep.

Impact:

  • Any workflow with an affected pinned Composer version leaks the GitHub OAuth token in run logs.
  • Public repositories: token is world-readable; can lead to repository takeover, code injection, or CI/CD compromise.
  • Private repositories: token visible to anyone with log access (collaborators, org members), expanding the attack surface.
    – `GITHUB_TOKEN` typically has write access to the repository, enabling force pushes, workflow modifications, and artifact theft.
  • User tokens (PATs) may have broader org or admin privileges, leading to supply chain attacks.
  • The impact is reduced for ephemeral `GITHUB_TOKEN` but remains critical during the job’s lifetime and for any cached logs.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top