Composer leaks contents of tokens configured as GitHub OAuth tokens

5/13/2026 at 11:26:33 AM

I was the reporter on this one. If you have Github Actions in your organization, disable them immediately if you're unsure which version of composer your Github Actions run.

by damienwebdev

5/13/2026 at 7:55:51 PM

Could you elaborate on this bit on why Github's secret masking doesn't work here:

> GitHub Actions' built-in secret masker matches registered values as exact substrings. When the exception message is rendered by Symfony Console it may wrap, embed in In BaseIO.php line N: framing, or interleave with ANSI control sequences. So the masker does not redact, and the plaintext token reaches the log.

What does this log rendering look like such that the token from that code snippet becomes interleaved enough to not be a substring match?

I'm not familiar with composer/Symfony but I would expect something like:

  Line 34: Foo bar
  Line 34: <red>Foo bar</red>

by ammar2

5/13/2026 at 8:10:28 PM

From what I can tell Symfony wraps these errors in a styled error block so it messes with GitHub's masking. For example, newlines breaking up the token are apparently enough to trick the masker since it's not a substring anymore.

For your example:

Line 34: <red>ghs_fdsafdsarewqfdsa...</red>

Is probably long enough in most cases to break to a new line.

Also, those blocks get "interleaved" like this:

<red>ghs_fdsafdsarewqfdsafdsa</red>

<red>fdsardsardsafdsafs......</red>

So there are now </red>'s within the token, also breaking the substring matching.

This is kind of eye-opening for me -- I have never thought about how styled output like this could cause logging leakages.

by jacobrussell

5/13/2026 at 8:16:13 PM

Aah, the newlines were the thing I was missing. That makes sense then.

by ammar2

5/13/2026 at 9:27:07 PM

Nice find. The tokens being leaked in actions log was not one of the security implications I thought of when they released the feature.

How many other actions/libraries do you think are vulnerable?

by securesaml

5/13/2026 at 7:50:32 PM

Not immediately clear to me, is this limited to ghu_xxx type OAUTH tokens? And it's only relevant for PHP projects that use composer in GHA?

by semi-extrinsic

5/13/2026 at 9:23:22 PM

It's limited to ghs_ (server to server token's), that have the new format enabled: https://github.blog/changelog/2026-04-24-notice-about-upcomi... (and actions that use the vulnerable package)

This include's the GITHUB_TOKEN that is builtin within a actions jobs.

by securesaml

5/13/2026 at 8:00:57 PM

That's my understanding. This seems to only effect PHP projects that use Composer in GitHub actions. Examples being usage of shivammathur/setup-php and or php-actions/composer.

by jacobrussell

5/13/2026 at 9:19:48 PM

I may be silly but why would you ever want to validate the structure of an opaque authentication key? Couldn't you just hit an harmless endpoint (e.g. /rate_limit) to see if it returns 401 or not?

by ShowalkKama

5/14/2026 at 2:45:30 AM

This is also a good reminder to scan CI logs, not just source code.

Shameless plug: I work on Kingfisher, an Apache 2.0 OSS secret scanner and validator written in Rust, that can also map blast radius and revoke many creds:

<https://github.com/mongodb/kingfisher>

It can scan repos, history, and artifacts and validate many findings against provider APIs, as well as revoke many exposed tokens directly from the CLI. Also generates a blast-radius/access-map view so you can see what a leaked credential could reach.

Install:

  brew install kingfisher
  # or
  uv tool install kingfisher-bin

Scan a local path:

  kingfisher scan /path/to/scan --access-map --view-report

Or scan a GitHub/GitLab repo directly:

  kingfisher scan https://github.com/path/to/repo.git --access-map --view-report

by micksmix

5/13/2026 at 7:27:57 PM

GHA have always been a PITA for any serious DevOps; it's quite clear they were designed to integrate in 7 lines of code and then tell everyone who complains that they're doing it wrong.

This does not surprise me.

by Normal_gaussian

5/13/2026 at 8:05:20 PM

It is a PITA, but that can be significantly improved IMHO if you just write shell script wrappers for your tasks. Not only does it make it easier to run CI locally, but it also makes it so much easier to move platforms in the future.

When the GH action YAML is just invoking shell scripts, I find it quite pleasant to use

by freedomben

5/13/2026 at 10:59:00 PM

That's mostly been my approach as well... I've also started relying on Deno for a lot of general shell scripting as you can use repository modules without an install step and shebang works outside Windows (or inside with bash).

by tracker1

5/13/2026 at 11:08:59 PM

Yeah this what I've always done too - already had to migrate from GitHub to GitLab once and a test.sh script saved me a lot of time.

by jamesfinlayson

5/13/2026 at 8:14:53 PM

You've perfectly described how microsoft operates and how github actions is apparently based on AzureDevOps pipelines.

by datadrivenangel

5/13/2026 at 8:25:33 PM

No. GHA has always been trash before MS got to it. A lot of GHA influenced ADO.

by youre-wrong3

5/13/2026 at 11:00:29 PM

IMO the .yaml config for ADO was an improvement... though it carries similar issues to GHA. I mostly use it as a script runner.

by tracker1

5/13/2026 at 8:06:05 PM

What is the security implication for private repos?

by euph0ria

5/13/2026 at 8:57:10 PM

If everyone that can read the logs are people who can read the secrets, then nothing. If there are any log readers who should be be secret readers, its a potentially exposed secret.

by Normal_gaussian

5/13/2026 at 7:33:42 PM

The title suggests it is a Github issue but really it is https://github.com/composer/composer no? I would edit the title for clarity.

by esafak

5/13/2026 at 8:08:15 PM

Yes, it's a Composer issue (which is a PHP dependencies manager) with the new format of GITHUB_TOKEN.

It's not an issue in GHA itself, this time. But if you are a composer user in GH, you should definitely be warned (and worried).

by darkwater

5/13/2026 at 11:01:33 PM

You're using PHP... you aren't worried about anything... ;-)

/kidding

by tracker1

5/13/2026 at 7:53:30 PM

it's not super clear, but that's my read as well... i think i can start lowering my panic levels now.

by incomplete

5/13/2026 at 8:31:49 PM

the title is incorrect; it's not a github error but php composer's github action. cc @dang before people freak out

by h1fra

5/14/2026 at 2:36:36 AM

It's a mix of responsibility between both systems. A new format combined with an old "bug".

by damienwebdev

5/13/2026 at 9:04:54 PM

@'ing doesn't work on hackernews, emailing does tho.

by shimman