CVE-2024-25129

Name of the Vulnerable Software and Affected Versions CodeQL CLI versions prior to 2.16.3

Description The CodeQL CLI is vulnerable to an XML External Entity attack due to an XML parser used to read auxiliary files. This vulnerability can be exploited when processing maliciously modified CodeQL databases or specially prepared QL query sources, potentially leading to a loss of privacy or exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected.

Recommendations For versions prior to 2.16.3, upgrade to release 2.16.3 of the CodeQL CLI to fix the issue. As a temporary workaround, consider not accepting CodeQL databases or queries from untrusted sources. Alternatively, only process such material on a machine without an Internet connection. For customers using older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons, continue using that version, but ensure the codeql pack create command is run using the production CodeQL release with trusted QL source.