PT-2026-45131 · Github Actions · Shivammathur/Setup-Php
Published
2026-05-20
·
Updated
2026-05-20
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact
This affects only workflows that pin an exact affected Composer semver version through setup-php, for example
tools: composer:2.9.7.Workflows using the default Composer version,
composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions.setup-php does not directly print the token. The token may be exposed through Composer when Composer validates github-oauth auth and rejects GitHub's newer hyphen-containing token format.
Public repository logs may expose the token. GitHub-hosted runner GITHUB TOKEN values expire after the job, but exposure may still matter during the token lifetime and for longer-lived GitHub App or user tokens.
Patches
setup-php 2.37.1 skips generated GitHub OAuth auth for pinned Composer versions affected by Composer GHSA-f9f8-rm49-7jv2 while preserving other Composer auth, including Packagist auth.
Workarounds
Upgrade to setup-php
2.37.1 or newer. You can also avoid the affected path by using a patched Composer version: 2.9.8, 2.2.28, 1.10.28, or newer supported Composer releases.It is recommended to avoid pinning affected Composer versions such as
composer:2.9.7, unless you have automations to do timely updates in your workflows.Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shivammathur/Setup-Php