Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions — GHSA-5WXR-W449-57CM
GitHub · GitHub · GHSA-5WXR-W449-57CM
ID
GHSA-5WXR-W449-57CM
GHSA-5WXR-W449-57CM
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.9
5.9
Summary
### Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example `tools: composer:2.9.7`. Workflows using the default Composer version, `composer:v2`, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions. setup-php does not directly print the…
Product
actions: shivammathur/setup-php
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.