CVE-2025-32953 - z80pack Emulator Vulnerability: Critical Exposure of Sensitive GITHUB_TOKEN Information

Introduction
z80pack is a mature emulator of multiple platforms with 808 and Z80 CPU. The emulator has been widely used by hobbyists and developers alike to emulate, tinker with, and create interesting programs spanning multiple platforms. However, in z80pack version 1.38 and prior, a critical vulnerability was discovered that exposes sensitive GITHUB_TOKEN information. This vulnerability poses a serious risk to users and the integrity of repositories being used with z80pack.

Vulnerability Details
Within version 1.38 and prior of z80pack, the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact. This artifact is a zip of the current directory, which happens to include the automatically generated .git/config file.

This may seem harmless at first, but the .git/config file contains the run's GITHUB_TOKEN. This token is sensitive and is meant to be kept private since it can potentially be exploited by malicious actors. Due to the nature of the artifact being uploaded as a zipfile and available for download before the workflow completes, there is a window of opportunity for an attacker to gather and exploit the sensitive token information.

During this short window, an attacker could use the extracted token with the GitHub API to push malicious code, rewrite release commits, or perform other nefarious actions within the victim's repository. This could lead to serious impacts on affected repositories and loss of trust in the software being developed.

Code Snippet

The vulnerability exists in the makefile-ubuntu.yml workflow file

- name: Upload z80pack-ubuntu artifact
  uses: actions/upload-artifact@v4
  with:
    name: z80pack-ubuntu
    path: ${{ github.workspace }}

Here is the patched code snippet from commit bd95916

- name: Prepare z80pack-ubuntu artifact
  run: |
    mkdir z80pack-ubuntu
    cp -R * z80pack-ubuntu
    rm z80pack-ubuntu/.git/config

- name: Upload z80pack-ubuntu artifact
  uses: actions/upload-artifact@v4
  with:
    name: z80pack-ubuntu
    path: z80pack-ubuntu/

Fix and References
This issue has been fixed in commit bd95916. It is highly encouraged to update to the latest version of z80pack or apply the changes as shown above to prevent exposure of sensitive GITHUB_TOKEN information. You can follow the full discussion regarding this vulnerability in the corresponding GitHub issue.

Conclusion
This post sheds light on the CVE-2025-32953 vulnerability found in z80pack version 1.38 and prior. The exploit exposes sensitive GITHUB_TOKEN information through the makefile-ubuntu.yml workflow file, creating a dangerous window of opportunity for attackers. The patch eliminates this vulnerability, ensuring the integrity of repositories and the continued trust in z80pack emulator software. Stay safe, and always keep your software up-to-date!

Timeline

Published on: 04/18/2025 21:15:44 UTC
Last modified on: 04/21/2025 14:23:45 UTC