QwikSec

Security Database

CVE

CWE

Training

CVE-2025-32953

Published: Apr 18, 2025

Modified: Apr 21, 2025

PUBLISHED

CVSS v3.1

8.7

HIGH

Description

z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the `makefile-ubuntu.yml` workflow file uses `actions/upload-artifact@v4` to upload the `z80pack-ubuntu` artifact. This artifact is a zip of the current directory, which includes the automatically generated `.git/config` file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in your repository. This issue has been fixed in commit bd95916.

Vendor	Product	Versions
udo-munk	z80pack	affected `< bd95916`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

References

https://github.com/udo-munk/z80pack/security/advisories/GHSA-gpjj-f76m-9x3q

x_refsource_CONFIRM

https://github.com/udo-munk/z80pack/commit/1e06c2fe498ca772002b5c4f6f9e3085061e47da

x_refsource_MISC

https://github.com/udo-munk/z80pack/commit/836c2e37b54f86bb4bed9e1406b67e52aa52308d

x_refsource_MISC

https://github.com/udo-munk/z80pack/commit/95535987d690bd20849fbf143f267283f0e2db91

x_refsource_MISC

https://github.com/udo-munk/z80pack/commit/bd9591615ae7b1e6229aa60a485447441c4a0c15

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.