Severity
High
Analysis Summary
CVE-2025-32111 CVSS:8.7
The Docker image from acme.sh prior to 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.
CVE-2025-31479 CVSS:8.2
A security vulnerability exists in the canonical/get-workflow-version-action GitHub composite action before version 1.0.1. When the action step fails, the exception output might reveal part of the GITHUB_TOKEN. GitHub automatically redacts full secrets from logs, but token truncation can lead to partial token exposure in plaintext. Anyone with read access to the repository, or in the case of public repositories, anyone at all, can view these GitHub Actions logs. The vulnerability's impact is limited because the GITHUB_TOKEN is automatically revoked when the job ends. However, a potential attack window exists between the token's log exposure and job completion. Users utilizing the github-token input are affected by this issue. Version 1.0.1 resolves the vulnerability and prevents token leakage.
Impact
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-32111
CVE-2025-31479
Affected Vendors
Affected Products
- acme.sh project acme.sh – 0
- canonical get-workflow-version-action - 1.0.1
Remediation
Refer to GitHub Security Advisory for patch, upgrade, or suggested workaround information.