CVE-2025-32958

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/AdeptLanguage/Adept/commit/a1a41b72cdf1bebfc0cf6d7b3a8350e6406b2220", "name": "https://github.com/AdeptLanguage/Adept/commit/a1a41b72cdf1bebfc0cf6d7b3a8350e6406b2220", "tags": [], "refsource": ""}, {"url": "https://github.com/AdeptLanguage/Adept/security/advisories/GHSA-8c7v-vccv-cx4q", "name": "https://github.com/AdeptLanguage/Adept/security/advisories/GHSA-8c7v-vccv-cx4q", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-32958", "ASSIGNER": "security-advisories@github.com"}}, "impact": {}, "publishedDate": "2025-04-21T21:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-04-21T21:15Z"}