Composer vulnerability leaks GitHub Actions GITHUB_TOKEN in logs due to format mismatch
By
damienwebdev
A bagel you'd recommend to a friend without hedging.
Summary
A security vulnerability has been identified where Composer leaks the full contents of GitHub OAuth tokens (specifically GITHUB_TOKEN) to stderr logs when the tokens don't match Composer's expected format. GitHub introduced a new GITHUB_TOKEN format that includes a hyphen, which fails Composer's validation and causes the token to be disclosed in logs. This issue is amplified because many widely-used GitHub Actions (like shivammathur/setup-php) automatically register GITHUB_TOKEN into Composer's global auth.json, meaning the leak can trigger without any unusual user configuration.
Key quotes
· 4 pulledComposer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr.
GitHub has introduced a new format for GitHub Actions GITHUB_TOKEN values.
The new format including a - (hyphen) fails Composer's validation and leads to disclosure of the GITHUB_TOKEN in logs.
Many widely-used Actions (e.g. shivammathur/setup-php) auto-register GITHUB_TOKEN into composer's global auth.json, so the leak triggers without any unusual user configuration.
You might also wanna read
Copy-Fail-Destroyer: A Kubernetes DaemonSet Agent for Detecting and Remediating Linux Kernel CVE-2026-31431
A Kubernetes DaemonSet agent called "copy-fail-destroyer" that detects and remediates CVE-2026-31431 ("Copy Fail"), a Linux kernel vulnerabi
github.com·1mo ago
Layerleak: Docker Hub Secret Scanner Tool Documentation
Layerleak is a Docker Hub secret scanner tool that detects sensitive information in Docker images. The article provides technical documentat
github.com·2mo ago
FIPS Compliance Challenges in Containerized Applications: Why Base Images Aren't Enough
The article discusses the challenges of achieving FIPS (Federal Information Processing Standards) compliance in containerized applications,
docker.com·4mo ago
lockenv: Password-Based Encrypted Vault for .env and Infrastructure Secrets
lockenv is a simple, password-based encrypted vault tool for securely storing sensitive files like .env files and infrastructure secrets in
github.com·5mo ago
Kekkai: A Go-Based File Integrity Monitoring Tool for Security Protection
Kekkai is a lightweight Go tool designed for file integrity monitoring that detects unauthorized file modifications by comparing content-bas
github.com·8mo ago
Keeping Secrets Out of Logs: A Defense-in-Depth Approach
This article discusses strategies for preventing sensitive data (secrets, credentials, PII) from being written to application logs. The auth