CVE-2025-46820 is a high-severity vulnerability affecting versions of the phpgt/Dom library prior to 4.1.8. The phpgt/Dom library provides access to modern DOM APIs in PHP environments. The vulnerability arises from the continuous integration (CI) workflow configuration, specifically the ci.yml file, which uses the GitHub action actions/upload-artifact@v4 to upload build artifacts. These artifacts are zip files containing the current directory, which inadvertently includes the automatically generated .git/config file. This file contains the GITHUB_TOKEN used during the workflow run. Because the artifact can be downloaded before the workflow completes, there is a brief window during which an attacker with access to the artifact can extract the GITHUB_TOKEN. This token grants API access to the GitHub repository with permissions to push code or rewrite release commits. Although the token is ephemeral and only valid for the duration of the workflow run, the exposure allows an attacker to perform malicious actions such as injecting malicious code or tampering with release history, potentially compromising the integrity of the software supply chain. The vulnerability is classified under multiple CWEs related to information exposure and improper handling of sensitive data (CWE-200, CWE-312, CWE-522, CWE-538). The issue is fixed in version 4.1.8 of phpgt/Dom by presumably excluding sensitive files from the artifact or securing token handling. The CVSS 3.1 score of 7.1 reflects a high severity with network attack vector, high impact on integrity and availability, and limited user interaction required.

For European organizations using phpgt/Dom in their software projects, especially those leveraging GitHub Actions for CI/CD workflows, this vulnerability poses a significant risk to the confidentiality and integrity of their code repositories. An attacker exploiting this flaw could obtain the GITHUB_TOKEN and push unauthorized code changes, potentially inserting backdoors or malicious payloads into software distributed to end users. This compromises the software supply chain, which is critical for maintaining trust and security in software development. Additionally, rewriting release commits can disrupt version control integrity, complicating incident response and forensic analysis. The limited token lifetime reduces the window of exploitation but does not eliminate the risk, especially in automated or high-traffic CI environments. Organizations involved in regulated industries or handling sensitive data may face compliance and reputational damage if such an attack occurs. Furthermore, downstream users of affected repositories may unknowingly consume compromised software, amplifying the impact across the software ecosystem.

1. Immediate upgrade of phpgt/Dom to version 4.1.8 or later to ensure the vulnerability is patched. 2. Review and modify CI workflow configurations to exclude sensitive files such as .git/config from build artifacts. This can be done by explicitly specifying artifact contents or using .gitignore-like mechanisms. 3. Limit the permissions of GITHUB_TOKEN by using fine-grained tokens or least privilege principles to restrict actions that can be performed during workflows. 4. Implement monitoring and alerting on unusual repository activities such as unexpected pushes or force pushes to release branches. 5. Rotate repository secrets and tokens regularly and after any suspected exposure. 6. Consider using ephemeral or environment-specific tokens that do not get stored in the repository or artifacts. 7. Educate developers and DevOps teams about secure handling of secrets in CI/CD pipelines to prevent similar exposures. 8. Audit existing artifacts and workflow runs for potential token leakage and revoke any compromised tokens immediately.