4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24363

GHSA ID

GHSA-6729-95v3-pjc2

EPSS Score

0.03852%

CWE

CWE-200

Published

1/24/2025

Updated

1/24/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24363

CVE-2025-24363:
HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information

Impact

In CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure.

Patches

This problem has been patched in release 1.8.9

Workarounds

Users should update to 1.8.9 or the latest release

Users should ensure the IG repo they are publishing does not have username or credentials included in the origin URL. Running the command git remote origin url should return a URL that contains no username, password, or token.

Users should run the IG Publisher CLI with the -repo parameter and specify a URL that contains no username, password, or token.

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24363

GHSA ID

GHSA-6729-95v3-pjc2

EPSS Score

0.03852%

CWE

CWE-200

Published

1/24/2025

Updated

1/24/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	maven	< 1.8.9	1.8.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	maven	< 1.8.9	1.8.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because the generateDataFile method in Publisher.java retrieves the repository URL via git commands (e.g., gh() or getGitUrl()) and includes it in the output data. In the original code, this URL (potentially containing credentials) was added to the data object, which was then written to the Implementation Guide. The commit diff shows that the loop adding data properties to db.metadata was moved to occur before the repoSource is added to data, preventing the sensitive URL from being included in the metadata. The presence of the original code structure (where repoSource was included in data before metadata generation) directly caused the exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *I *ont*xts, t** I* Pu*lis**r *LI us*s *it *omm*n*s to **t*rmin* t** URL o* t** ori*in*tin* r*po. I* t** r*po w*s *lon**, or ot**rwis* s*t to us* * r*po t**t us*s * us*rn*m* *n* *r***nti*l **s** URL, t** *ntir* URL will ** in*lu*** in t

Reasoning

T** vuln*r**ility *ris*s ****us* t** `**n*r*t***t**il*` m*t*o* in `Pu*lis**r.j*v*` r*tri*v*s t** r*pository URL vi* *it *omm*n*s (*.*., `**()` or `**t*itUrl()`) *n* in*lu**s it in t** output **t*. In t** ori*in*l *o**, t*is URL (pot*nti*lly *ont*inin

4.2

Basic Information

Concerned about an active attack path?

CVE-2025-24363: HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information

Impact

Patches

Workarounds

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-24363:
HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information

Vulnerability Intelligence
Miggo AI