GitHub CodeQL Supply Chain Attack Risk: A 1.022-Second Flaw
2025-03-30
A researcher uncovered a publicly exposed secret in GitHub CodeQL, lasting only 1.022 seconds, that could have led to a devastating supply chain attack. Within that timeframe, an attacker could gain full write access to CodeQL workflows, stealing source code from private repositories, GitHub Actions secrets, and even executing code on internal infrastructure. Critically, attackers could modify the version tag used by the default CodeQL workflow, impacting all repositories using CodeQL. The vulnerability has been patched, but it highlights the critical importance of CI/CD security.
Tech
CI/CD security