CVE-2025-32958

Name of the Vulnerable Software and Affected Versions Adept versions prior to commit a1a41b7

Description The issue concerns the exposure of the GITHUB TOKEN in the Adept language workflow. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact, which is a zip of the current directory and includes the automatically generated .git/config file containing the run's GITHUB TOKEN. This allows an attacker to extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository.

Recommendations For versions prior to commit a1a41b7, update to a version that includes the patch from commit a1a41b7 to resolve the issue. As a temporary workaround, consider restricting access to the actions/upload-artifact@v4 action in the remoteBuild.yml workflow file until the patch is applied.