high
7.1
CWE
359
EPSS
0.043%
Advisory Published
Advisory Published
Updated

CVE-2025-24355: Updatecli may expose Maven credentials in console output

First published: Fri Jan 24 2025(Updated: )

### Summary Private maven repository credentials leaked in application logs in case of unsuccessful retrieval operation. ### Details During the execution of an updatecli pipeline which contains a `maven` source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure. Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository .e.g. wrong coordinates provided, not existing artifact or version. ### PoC The [documentation](https://www.updatecli.io/docs/plugins/resource/maven/) currently state to provide user credentials as basic auth inside the `repository` field. e.g. ``` sources: default: kind: maven spec: repository: "{{ requiredEnv "MAVEN_USERNAME" }}:{{ requiredEnv "MAVEN_PASS" }}@repo.example.org/releases" groupid: "org.example.company" artifactid: "my-artifact" versionFilter: kind: regex pattern: "^23(\.[0-9]+){1,2}$" ``` Logs are sanitized properly in case of a successful operation: ``` source: source#default ----------------------------------------------------------- Searching for version matching pattern "^23(\\.[0-9]+){1,2}$" ✔ Latest version is 23.4.0 on the Maven repository at https://repo.example.org/releases/org/example/company/my-artifact/maven-metadata.xml ``` but leaks credentials in case the GAV coordinates are wrong (misspelled package name or missing): ``` source: source#default ----------------------------------------------------------- ERROR: ✗ getting latest version: URL "https://REDACTED:REDACTED@repo.example.org/releases/org/example/company/wrong-artifact/maven-metadata.xml" not found or in error ``` ### Impact User credentials/token used to authenticate against a private maven repository can be leaked in clear-text in console or CI logs.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/updatecli/updatecli<0.93.0
0.93.0
Updatecli<0.93.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-24355?

    CVE-2025-24355 is classified as a moderate severity vulnerability due to the leakage of private repository credentials.

  • How do I fix CVE-2025-24355?

    To fix CVE-2025-24355, upgrade the Updatecli application to version 0.93.0 or later.

  • What type of vulnerability is CVE-2025-24355?

    CVE-2025-24355 is a credential leakage vulnerability that occurs during unsuccessful retrieval operations.

  • Who is affected by CVE-2025-24355?

    Users of Updatecli versions prior to 0.93.0 that use maven sources with basic authentication are affected by CVE-2025-24355.

  • When was CVE-2025-24355 disclosed?

    CVE-2025-24355 was disclosed in 2025, detailing the vulnerabilities related to private maven repository credential leakage.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203