Analysis Summary

CVE-2025-32111 CVSS:8.7

The Docker image from acme.sh prior to 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.

CVE-2025-31479 CVSS:8.2

A security vulnerability exists in the canonical/get-workflow-version-action GitHub composite action before version 1.0.1. When the action step fails, the exception output might reveal part of the GITHUB_TOKEN. GitHub automatically redacts full secrets from logs, but token truncation can lead to partial token exposure in plaintext. Anyone with read access to the repository, or in the case of public repositories, anyone at all, can view these GitHub Actions logs. The vulnerability's impact is limited because the GITHUB_TOKEN is automatically revoked when the job ends. However, a potential attack window exists between the token's log exposure and job completion. Users utilizing the github-token input are affected by this issue. Version 1.0.1 resolves the vulnerability and prevents token leakage.

Impact

• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-32111

• CVE-2025-31479

Affected Vendors

Remediation

Refer to GitHub Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-32111

CVE-2025-31479