CVE-2025-24355
Description
Updatecli is a tool used to apply file update strategies. Prior to version 0.93.0, private maven repository credentials may be leaked in application logs in case of unsuccessful retrieval operation. During the execution of an updatecli pipeline which contains a maven source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure. Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository, e.g. wrong coordinates provided, not existing artifact or version. Version 0.93.0 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/updatecli/updatecliGo | < 0.93.0 | 0.93.0 |
Patches
2647d1d8f339d344b28091ffefix: hide username/password from URL in log message (#3659)
5 files changed · +7 −8
pkg/core/text/main.go+1 −1 modified@@ -110,7 +110,7 @@ func getLine(reader io.Reader, line int) string { // "https://", or file url "file://" or filepath (default) func (t *Text) ReadAll(location string) (string, error) { if IsURL(location) { - logrus.Debugf("URL detected for location %q", location) + logrus.Debugf("URL detected for location %q", redact.URL(location)) content, err := t.readFromURL(location, 0) if err != nil { return "", err
pkg/plugins/resources/maven/condition.go+2 −1 modified@@ -6,6 +6,7 @@ import ( "github.com/sirupsen/logrus" "github.com/updatecli/updatecli/pkg/core/pipeline/scm" + "github.com/updatecli/updatecli/pkg/plugins/utils/redact" ) // Condition tests if a specific version exist on the maven repository @@ -34,7 +35,7 @@ func (m *Maven) Condition(source string, scm scm.ScmHandler) (pass bool, message for _, version := range versions { if version == m.spec.Version { return true, fmt.Sprintf("Version %s is available on the Maven Repository (%s)", - m.spec.Version, metadataURL), nil + m.spec.Version, redact.URL(metadataURL)), nil } } }
pkg/plugins/resources/maven/source.go+2 −1 modified@@ -5,6 +5,7 @@ import ( "github.com/sirupsen/logrus" "github.com/updatecli/updatecli/pkg/core/result" + "github.com/updatecli/updatecli/pkg/plugins/utils/redact" ) // Source return the latest version @@ -28,7 +29,7 @@ func (m *Maven) Source(workingDir string, resultSource *result.Source) error { resultSource.Description = fmt.Sprintf( "Latest version is %s on the Maven repository at %s", latestVersion, - metadataURL, + redact.URL(metadataURL), ) return nil }
pkg/plugins/resources/maven/utils.go+0 −4 modified@@ -4,8 +4,6 @@ import ( "net/url" "path" "strings" - - "github.com/sirupsen/logrus" ) // isRepositoriesContainsMavenCentral return if the repositories list contains the maven central url @@ -76,7 +74,5 @@ func joinURL(elems []string) (string, error) { args := path.Join(remainingElements...) - logrus.Printf(URL) - return URL + "/" + args, nil }
pkg/plugins/utils/mavenmetadata/main.go+2 −1 modified@@ -8,6 +8,7 @@ import ( "github.com/updatecli/updatecli/pkg/core/result" "github.com/updatecli/updatecli/pkg/core/text" + "github.com/updatecli/updatecli/pkg/plugins/utils/redact" "github.com/updatecli/updatecli/pkg/plugins/utils/version" "golang.org/x/text/encoding/ianaindex" ) @@ -69,7 +70,7 @@ func (d *DefaultHandler) GetLatestVersion() (string, error) { switch d.versionFilter.Kind { case "latest", "": if data.Versioning.Latest == "" { - return "", fmt.Errorf("%s No latest version found at %s", result.FAILURE, d.metadataURL) + return "", fmt.Errorf("%s No latest version found at %s", result.FAILURE, redact.URL(d.metadataURL)) } return data.Versioning.Latest, nil
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v34r-vj4r-38j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24355ghsaADVISORY
- github.com/updatecli/updatecli/commit/344b28091ffeca5ed32e8d0f9eda542842fcd3fanvdWEB
- github.com/updatecli/updatecli/security/advisories/GHSA-v34r-vj4r-38j6nvdWEB
- www.updatecli.io/docs/plugins/resource/mavenghsaWEB
News mentions
0No linked articles in our index yet.