CVE-2025-46820

Name of the Vulnerable Software and Affected Versions phpgt/Dom versions prior to 4.1.8

Description The issue exposes the GITHUB TOKEN in the Dom workflow run artifact. This occurs because the ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact, which is a zip of the current directory and includes the automatically generated .git/config file containing the run's GITHUB TOKEN. An attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in the repository. The token is only valid for the duration of the workflow run, limiting the time during which exploitation could occur. Downstream users of the repository may be affected.

Recommendations For versions prior to 4.1.8, update to version 4.1.8 to fix the issue. As a temporary workaround, consider restricting access to the actions/upload-artifact@v4 action in the ci.yml workflow file until the update is applied. Avoid using the GITHUB TOKEN in the affected workflow until the issue is resolved.