`goreleaser release --debug` shows secrets
Description
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GoReleaser leaks secret environment variables in debug logs when using custom publishers, fixed in v1.24.0.
Vulnerability
Description
CVE-2024-23840 is an information disclosure vulnerability in GoReleaser, a tool that automates building Go binaries and creating GitHub releases. The flaw occurs in the custom publisher functionality: when running goreleaser release --debug, the debug log output includes the full environment variables passed to the custom command, including any secrets. This means sensitive values like API tokens, passwords, or keys provided via env in the publisher configuration are printed in plaintext to the console or log file [1][4].
Attack
Vector and Exploitation
The vulnerability is triggered by simply running goreleaser release --debug with a custom publisher that defines secret environment variables. No special authentication or network access is required beyond having the GoReleaser configuration file (.goreleaser.yml) that includes a publishers block with the env field referencing secrets [4]. An attacker who gains access to the debug logs—either by observing the terminal output, reading log files stored in CI artifacts, or through shared debugging sessions—can extract the secret values. The leak also exposes the GITHUB_TOKEN if it is set in the environment [4].
Impact
A successful exploitation allows an attacker to obtain secret values used by the custom publisher, potentially including credentials for external services, signing keys, or API tokens. This could lead to unauthorized access to the release pipeline, code signing, or other integrated services. The severity is amplified in CI/CD environments where logs are often retained and may be accessible to multiple team members or external systems [1].
Mitigation
GoReleaser fixed this issue in version 1.24.0. The fix, introduced in commit d5b6a53, removes the env field from the debug log output for custom commands, preventing secrets from being displayed [3]. Users should upgrade to v1.24.0 or later. No workaround exists other than avoiding the --debug flag in production or CI, or ensuring logs are never exposed to untrusted parties [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goreleaser/goreleaserGo | >= 1.23.0, < 1.24.0 | 1.24.0 |
Affected products
4- osv-coords3 versions
< 1.24.0-r0+ 2 more
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: >= 1.23.0, < 1.24.0
- Range: 1.23.0
Patches
1d5b6a533ca1dMerge pull request from GHSA-h3q2-8whx-c29h
3 files changed · +1 −4
internal/exec/exec.go+0 −1 modified@@ -86,7 +86,6 @@ func executePublisher(ctx *context.Context, publisher config.Publisher) error { func executeCommand(c *command, artifact *artifact.Artifact) error { log.WithField("args", c.Args). - WithField("env", c.Env). WithField("artifact", artifact.Name). Debug("executing command")
internal/pipe/sbom/sbom.go+1 −2 modified@@ -201,8 +201,7 @@ func catalogArtifact(ctx *context.Context, cfg config.SBOM, a *artifact.Artifact cmd.Env = append(cmd.Env, envs...) cmd.Dir = ctx.Config.Dist - log.WithField("env", cmd.Env). - WithField("dir", cmd.Dir). + log.WithField("dir", cmd.Dir). WithField("cmd", cmd.Args). Debug("running")
internal/shell/shell.go+0 −1 modified@@ -18,7 +18,6 @@ import ( func Run(ctx *context.Context, dir string, command, env []string, output bool) error { log := log. WithField("cmd", command). - WithField("env", env). WithField("dir", dir) /* #nosec */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-h3q2-8whx-c29hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23840ghsaADVISORY
- github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0ghsax_refsource_MISCWEB
- github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.