GitHub CodeQL Action Environment Variable Exposure Vulnerability

A vulnerability exists in the GitHub CodeQL Action that can lead to the unintentional exposure of environment variables, including sensitive secrets, in debug artifacts. This issue arises when specific conditions are met during a CodeQL analysis of Kotlin or Java repositories. The vulnerability is present in CodeQL Action versions prior to 3.28.3 and in CodeQL CLI versions 2.9.2 (May 2022) through 2.20.2. When a workflow fails before the CodeQL database is finalized, the debug artifact can include a valid GITHUB_TOKEN with repository access, creating a potential supply chain risk.

Impact

Exposed environment variables in the debug artifacts can include sensitive information such as the GITHUB_TOKEN, which has write access to the repository. This could allow an attacker to modify the repository, including backdooring GitHub Actions or poisoning the GitHub Actions Cache with malicious code.

Reproduction

The vulnerability can be reproduced by running a CodeQL analysis workflow on a repository that contains Kotlin or Java source code. The workflow must be configured to upload debug artifacts and use a vulnerable version of the CodeQL Action and CLI. When the analysis fails before the database is finalized, the debug artifact will contain the exposed environment variables, including the GITHUB_TOKEN.

Remediation

Users can update to GitHub CodeQL Action version 3.28.3 or later, and CodeQL CLI version 2.20.3 or later. GitHub has already applied this update to the CodeQL Action.