CVE-2025-24363: HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information

January 24, 2025

In CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure.

References

github.com/HL7/fhir-ig-publisher
github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2
github.com/advisories/GHSA-6729-95v3-pjc2
nvd.nist.gov/vuln/detail/CVE-2025-24363

Detect and mitigate CVE-2025-24363 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →