CVE-2025-24362

Name of the Vulnerable Software and Affected Versions CodeQL Action versions prior to 3.28.3 CodeQL CLI versions prior to 2.20.3

Description In certain circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain environment variables from the workflow run, including secrets. Users with read access to the repository can access this artifact, potentially exposing secrets. The issue is specific to workflow runs that satisfy conditions such as scanning Java/Kotlin languages, running in a repository with Kotlin source code, and using specific versions of CodeQL Action and CLI. The exposed environment variables may include a valid GITHUB TOKEN, which has access to the repository and specified permissions. The GITHUB TOKEN is valid until the job completes or 24 hours have elapsed.

Recommendations For CodeQL Action versions prior to 3.28.3, update to version 3.28.3 or later to resolve the issue. For CodeQL CLI versions prior to 2.20.3, update to version 2.20.3 or later to resolve the issue. As a temporary workaround, consider disabling debug artifacts in the CodeQL Action to minimize the risk of exposing environment variables. Restrict access to the repository to minimize the risk of unauthorized access in case the GITHUB TOKEN is exposed.