Composer vulnerability leaks GitHub tokens, threatens PHP supply chain
This write-up covers GHSA-f9f8-rm49-7jv2, a Composer bug where GitHub OAuth token validation rejects GitHub’s newer ghs_<id>_<JWT> Actions token format because the regex only allows [.A-Za-z0-9_] and fails on hyphens in the base64url JWT segment. On validation failure, Composer throws an exception that interpolates the raw token into the error message, and Symfony Console’s ANSI-colored, wrapped stderr output defeats GitHub Actions secret masking because the token bytes are no longer emitted as one contiguous string. In common PHP CI setups using shivammathur/setup-php, GITHUB_TOKEN is automatically written into Composer’s global auth.json, so invoking Composer on vulnerable versions can leak the workflow token into public job logs. If the workflow runs with write-scoped GITHUB_TOKEN permissions, attackers can race token revocation while the job is still in progress and use the leaked credential to push commits or publish malicious releases through the Packagist/GitHub release chain, making this a practical PHP supply-chain risk. The article also notes patched versions (2.9.8, 2.2.28, 1.10.28) and recommends forcing default Actions tokens to read-only to reduce blast radius.