VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 20, 2022· Updated Apr 16, 2025

ghinstallation returns app JWT in error responses

CVE-2022-39304

Description

ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ghinstallation v1 leaks the short-lived JWT bearer token for a GitHub App in error responses when an installation token refresh fails.

Vulnerability

Analysis

CVE-2022-39304 affects ghinstallation, a Go library that provides an http.RoundTripper implementation for authenticating as a GitHub App installation. In version 1, when a request to refresh an installation access token fails, the library returns both the HTTP request and response objects to the caller for debugging purposes [1]. The returned request object contains the bearer JWT (JSON Web Token) that the App uses to authenticate itself when requesting the installation token [4].

Attack

Vector and Prerequisites

An attacker who can cause the token refresh to fail — for example, by observing network errors or triggering server-side failures — and who has access to the returned error information can obtain the JWT. The JWT is short-lived, with a maximum lifetime of 10 minutes [1]. The exploit requires no additional authentication beyond being able to intercept or receive the debugging output. In a typical deployment, this output might be logged, returned in an API response, or displayed in an error message, making it accessible to any user or system with access to those logs or responses.

Impact

With the leaked JWT, an attacker can authenticate as the GitHub App itself for the remainder of the token's validity period [4]. This allows the attacker to generate new installation access tokens or make API calls on behalf of the App, potentially accessing repositories, issues, and other resources that the App has been granted access to [4].

Mitigation

The issue has been patched in ghinstallation version 2.0.0 [1]. Users are advised to upgrade to the latest version. There is no workaround available in version 1. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2022-39304
  2. About authentication with a GitHub App - GitHub Docs

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/bradleyfalzon/ghinstallationGo
< 2.0.02.0.0

Affected products

3

Patches

1
d24f14f8be70

Add StatusCode to error message if refreshToken() fails due to an suspended app (#44)

https://github.com/bradleyfalzon/ghinstallationAndy GrunwaldMar 8, 2021via ghsa
commit
1 file changed · +1 1
  • transport.go+1 1 modified
    @@ -170,7 +170,7 @@ func (t *Transport) refreshToken(ctx context.Context) error {
 	defer resp.Body.Close()
 
 	if resp.StatusCode/100 != 2 {
-		return fmt.Errorf("request %+v received non 2xx response status %q with body %+v and TLS %+v", resp.Request, resp.Body, resp.Request, resp.TLS)
+		return fmt.Errorf("received non 2xx response status %q when fetching %v", resp.Status, req.URL)
 	}
 
 	return json.NewDecoder(resp.Body).Decode(&t.token)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.