Listen to this Post
How the mentioned CVE works (approximately 20 lines):
- The vulnerability exists in Composer’s github-oauth authentication validation logic.
- It affects GitHub Actions workflows using `shivammathur/setup-php` to pin an exact, vulnerable Composer version (e.g.,
composer:2.9.7). - When Composer attempts to authenticate with GitHub’s API, it validates the OAuth token format.
- GitHub recently introduced a newer token format that includes hyphens (e.g.,
ghp_xxxx-xxxx). - Older Composer versions (2.9.7, 2.2.x before 2.2.28, 1.x before 1.10.28) do not recognize the hyphenated format.
- Upon encountering a hyphenated token, Composer rejects the token and generates an error message.
- The error message inadvertently prints the full GitHub OAuth token in plaintext.
8. `setup-php` passes the GitHub runner’s `GITHUB_TOKEN` (or a user-supplied token) to Composer for `github-oauth` auth. - The exposed token then appears in the runner’s logs if Composer outputs the error.
- Public repositories make those logs accessible to anyone, leaking the token.
- For private repositories, logs are visible to users with read access, but the token may still be exposed.
- The leak is not caused by `setup-php` directly printing the token, but by Composer’s error handling.
- Workflows using the default Composer version (
composer:v2or unpinned) are safe because the URLs were updated to patched releases. - Affected workflows are those that explicitly pin a vulnerable Composer version (e.g.,
tools: composer:2.9.7). - The `GITHUB_TOKEN` in GitHub-hosted runners expires after the job, reducing but not eliminating risk.
- Longer-lived tokens (GitHub App tokens, personal access tokens) remain exposed for their full lifetime.
- An attacker with the leaked token can clone repositories, push code, or trigger workflows depending on token permissions.
- The patch in `setup-php` 2.37.1 skips GitHub OAuth generation for pinned Composer versions affected by GHSA-f9f8-rm49-7jv2.
- It preserves other Composer authentication (e.g., Packagist) to avoid breaking changes.
- Patched Composer versions (2.9.8, 2.2.28, 1.10.28+) fix the token printing behavior in Composer itself.
dailycve form:
Platform: GitHub Actions
Version: setup-php <2.37.1
Vulnerability: Token log exposure
Severity: Critical
date: 2025-02-10
Prediction: Already patched (2.37.1)
Analytics under What Undercode Say:
Check pinned Composer version in workflow grep -r "composer:" .github/workflows/ Find vulnerable exact pins (e.g., 2.9.7) grep -E "composer:[0-9]+.[0-9]+.[0-9]+" .github/workflows/.yml Update setup-php action to patched version In your workflow YAML: - name: Setup PHP uses: shivammathur/[email protected] or newer with: php-version: '8.2' tools: composer:v2 avoid pinning vulnerable versions Alternative: pin a patched Composer version tools: composer:2.9.8 Simulate token leak (do not run on real repos) composer config --global github-oauth.github.com ghp_invalid-hyphen-token composer validate 2>&1 | grep -i token
Exploit:
- Identify a public GitHub Actions workflow that pins `composer:2.9.7` using
setup-php. - Inspect the workflow’s run logs for the step where Composer validates GitHub OAuth.
- Look for an error message containing
ghp_,gho_, or `github_pat_` – that is the leaked token. - Use the token with GitHub API to clone repositories, create issues, or push code as the token owner.
- If the token is a
GITHUB_TOKEN, it expires after the job but may still allow actions during the remaining minutes. - For longer-lived tokens (PATs or GitHub App tokens), the attacker retains persistent access.
Protection from this CVE:
- Upgrade `shivammathur/setup-php` to v2.37.1 or newer immediately.
- If you must pin Composer, use patched versions: 2.9.8, 2.2.28, 1.10.28, or any later release.
- Avoid pinning vulnerable exact versions like `composer:2.9.7` unless you have automated update mechanisms.
- Rotate any tokens that may have been exposed in logs (check historical workflow runs).
- Set workflow log retention to minimal and disable public logging for sensitive repositories.
- Scan past logs for token patterns using GitHub’s secret scanning or custom grep.
Impact:
- Any workflow with an affected pinned Composer version leaks the GitHub OAuth token in run logs.
- Public repositories: token is world-readable; can lead to repository takeover, code injection, or CI/CD compromise.
- Private repositories: token visible to anyone with log access (collaborators, org members), expanding the attack surface.
– `GITHUB_TOKEN` typically has write access to the repository, enabling force pushes, workflow modifications, and artifact theft. - User tokens (PATs) may have broader org or admin privileges, leading to supply chain attacks.
- The impact is reduced for ephemeral `GITHUB_TOKEN` but remains critical during the job’s lifetime and for any cached logs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

