CVE-2025-32958
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-32958
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32958.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-32958
- Aliases
-
- GHSA-8c7v-vccv-cx4q
- Published
- 2025-04-21T21:15:20Z
- Modified
- 2025-04-23T17:14:16.970615Z
- Summary
- [none]
- Details
-
Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7.
- References