Low severity3.8OSV Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-62794

Description

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7.

Affected products

RichardoC/Github Workflow Updater ExtensionOSV
Range: 0.0.1, 0.0.2, 0.0.3, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/RichardoC/github-workflow-updater-extension/commit/b9518c38ac6bc2a9fda2242e6daef17f7184ad1fnvd
github.com/RichardoC/github-workflow-updater-extension/security/advisories/GHSA-679x-97jw-8vjpnvd

News mentions

No linked articles in our index yet.

cvss	0.247
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000