Medium severity6.8OSV Advisory· Published Sep 5, 2025· Updated Apr 15, 2026
CVE-2025-58401
CVE-2025-58401
Description
Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacker may perform unauthorized operations on the linked Github account.
Affected products
1- Range: 1.0.0, 1.0.1, 1.0.10, …
Patches
10eb493e3837a🔖 v1.1.7
4 files changed · +5 −5
manifest.json+1 −1 modified@@ -1,7 +1,7 @@ { "id": "github-copilot", "name": "GitHub Copilot", - "version": "1.1.6", + "version": "1.1.7", "minAppVersion": "1.5.12", "description": "Implement GitHub Copilot services (suggestion and chat) in Obsidian", "author": "Vasseur Pierre-Adrien",
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "obsidian-github-copilot", - "version": "1.1.6", + "version": "1.1.7", "description": "Implement GitHub Copilot services (suggestion and chat) in Obsidian", "main": "main.js", "scripts": {
package-lock.json+2 −2 modified@@ -1,12 +1,12 @@ { "name": "obsidian-github-copilot", - "version": "1.1.6", + "version": "1.1.7", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "obsidian-github-copilot", - "version": "1.1.6", + "version": "1.1.7", "license": "MIT", "dependencies": { "@pierrad/ts-lsp-client": "^1.0.5",
src/main.ts+1 −1 modified@@ -37,7 +37,7 @@ export default class CopilotPlugin extends Plugin { copilotAgent: CopilotAgent; private cmExtensionManager: ExtensionManager; private eventManager: EventManager; - version = "1.1.6"; + version = "1.1.7"; tabSize = Vault.DEFAULT_TAB_SIZE; async onload() {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.