Published:2025/09/05  Last Updated:2025/09/05

JVN#41633999
Obsidian GitHub Copilot Plugin stores sensitive information in cleartext

Overview

Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur stores sensitive information in cleartext.

Products Affected

  • Obsidian GitHub Copilot Plugin versions prior to 1.1.7

Description

Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur is vulnerable to the following vulnerability.

  • Cleartext storage of sensitive information (CWE-312)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 5.1
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Base Score 6.8
    • CVE-2025-58401

Impact

An attacker may obtain the GitHub API token used by the plugin and perform unauthorized operations on the linked GitHub account.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
Pierre-Adrien Vasseur Release 1.1.7 obsidian-github-copilot

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Rui Nakajima reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-58401
JVN iPedia JVNDB-2025-000072