Vulnerability Description
z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the `makefile-ubuntu.yml` workflow file uses `actions/upload-artifact@v4` to upload the `z80pack-ubuntu` artifact. This artifact is a zip of the current directory, which includes the automatically generated `.git/config` file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in your repository. This issue has been fixed in commit bd95916.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/udo-munk/z80pack/commit/1e06c2fe498ca772002b5c4f6f9e3085061e4
- https://github.com/udo-munk/z80pack/commit/836c2e37b54f86bb4bed9e1406b67e52aa523
- https://github.com/udo-munk/z80pack/commit/95535987d690bd20849fbf143f267283f0e2d
- https://github.com/udo-munk/z80pack/commit/bd9591615ae7b1e6229aa60a485447441c4a0
- https://github.com/udo-munk/z80pack/security/advisories/GHSA-gpjj-f76m-9x3q
FAQ
What is CVE-2025-32953?
CVE-2025-32953 is a vulnerability with a CVSS score of 8.7 (HIGH). z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the `makefile-ubuntu.yml` workflow file uses `actions/upload-artifact@v4` to upload the `z80pack-ub...
How severe is CVE-2025-32953?
CVE-2025-32953 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32953?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.