CVE-2025-24362 – CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts

https://notcve.org/view.php?id=CVE-2025-24362

24 Jan 2025 — In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. This vulnerability is patched in CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later. For some affected work... • https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough • CWE-532: Insertion of Sensitive Information into Log File •