Intel

AIKIDO-2026-305929

semantic-release is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

41

Medium Risk

This Affects:

JSsemantic-release
19.0.3 - 25.0.5
Fixed in 25.0.6
Are you affected? Scan for Free

TL;DR

The secret-masking logic in lib/hide-sensitive.js builds its redaction pattern from only the raw secret value and its encodeURI form. When the package embeds Git credentials into a repository URL it uses url.format(), which percent-encodes characters such as =, &, and # that encodeURI leaves untouched, producing a credential form the mask does not match. As a result, secrets containing those characters can appear unredacted in command output and logs, for example when a git command fails and the authenticated URL is printed. The fix expands the redaction candidates to also cover encodeURIComponent and the colon-preserving url.format() encoding.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your secret token or password contains characters that get percent-encoded in URLs, such as =, &, or #.

Background info

semantic-release is vulnerable to Exposure of Sensitive Information in versions 19.0.3 - 25.0.5.

How to fix this

Upgrade the semantic-release library to the patch version.