CVE-2025-24363

Name of the Vulnerable Software and Affected Versions HL7 FHIR IG publisher versions prior to 1.8.9

Description The HL7 FHIR IG publisher has an issue where it exposes usernames and credentials in the built Implementation Guide when using git commands to determine the URL of the originating repo in CI contexts. This occurs if the repo was cloned or set to use a repo with a username and credential-based URL. Users who clone public repos without credentials are not impacted.

Recommendations For versions prior to 1.8.9, update to version 1.8.9 or the latest release. As a temporary workaround, ensure the IG repo being published does not have username or credentials included in the origin URL by running the command git remote origin url to verify the URL contains no username, password, or token. Alternatively, run the IG Publisher CLI with the -repo parameter and specify a URL that contains no username, password, or token.