CVE-2025-32953

Name of the Vulnerable Software and Affected Versions z80pack versions 1.38 and prior

Description The issue concerns the exposure of sensitive information, specifically the GITHUB TOKEN, in the workflow run artifact. This occurs because the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact, which is a zip of the current directory and includes the automatically generated .git/config file containing the run's GITHUB TOKEN. An attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the repository.

Recommendations For versions 1.38 and prior, update to a version that includes the fix committed in bd95916 to prevent the exposure of the GITHUB TOKEN. As a temporary workaround, consider restricting access to the makefile-ubuntu.yml workflow file until the issue is resolved. Avoid using the actions/upload-artifact@v4 action in the makefile-ubuntu.yml workflow file until the issue is resolved.