PT-2026-45131 · Github Actions · Shivammathur/Setup-Php
Publicado
2026-05-20
·
Atualizado
2026-05-20
CVSS v3.1
5.9
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact
This affects only workflows that pin an exact affected Composer semver version through setup-php, for example
tools: composer:2.9.7.Workflows using the default Composer version,
composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions.setup-php does not directly print the token. The token may be exposed through Composer when Composer validates github-oauth auth and rejects GitHub's newer hyphen-containing token format.
Public repository logs may expose the token. GitHub-hosted runner GITHUB TOKEN values expire after the job, but exposure may still matter during the token lifetime and for longer-lived GitHub App or user tokens.
Patches
setup-php 2.37.1 skips generated GitHub OAuth auth for pinned Composer versions affected by Composer GHSA-f9f8-rm49-7jv2 while preserving other Composer auth, including Packagist auth.
Workarounds
Upgrade to setup-php
2.37.1 or newer. You can also avoid the affected path by using a patched Composer version: 2.9.8, 2.2.28, 1.10.28, or newer supported Composer releases.It is recommended to avoid pinning affected Composer versions such as
composer:2.9.7, unless you have automations to do timely updates in your workflows.Correção
Insertion into Log File
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Shivammathur/Setup-Php