CVE-2025-24355

Name of the Vulnerable Software and Affected Versions Updatecli versions prior to 0.93.0

Description The issue concerns the leakage of private Maven repository credentials in application logs when an updatecli pipeline execution fails. This occurs when the pipeline contains a maven source configured with basic auth credentials and there is a failure in the Maven repository, such as wrong coordinates provided or a non-existing artifact or version. Credentials are properly sanitized when the operation is successful. The estimated number of potentially affected devices is not explicitly mentioned, but Updatecli has seen over 1.2 million downloads.

Technical details about exploitation include the fact that during the execution of an updatecli pipeline, credentials are being leaked in the application execution logs in case of failure. For example, when the repository field in the maven source is configured with basic auth credentials, and there is an error, the credentials may be exposed in the logs.

Recommendations For Updatecli versions prior to 0.93.0, update to version 0.93.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of basic auth credentials in the repository field of the maven source until the issue is resolved. Restrict access to the application logs to minimize the risk of credential exposure.