Home > Vulnerability Database > CVE-2025-62794

Mend.io Vulnerability Database

CVE-2025-62794

Good to know:

Date: October 28, 2025

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

Severity Score

3.8

Related Resources (5)

Url: https://github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjp

Url: https://github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1f

Url: https://github.com/microsoft/vscode-discussions/discussions/748

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62794

Url: https://www.mend.io/vulnerability-database/CVE-2025-62794

Severity Score

3.8

Weakness Type (CWE)

Insufficiently Protected Credentials

CWE-522

Top Fix

Upgrade Version

Upgrade to version https://github.com/RichardoC/github-workflow-updater-extension.git - 0.0.7

Learn More

CVSS v3.1

Base Score:	3.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62794

Good to know:

Date: October 28, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?