JVN#41633999
Obsidian GitHub Copilot Plugin stores sensitive information in cleartext

Overview

Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur stores sensitive information in cleartext.

Products Affected

• Obsidian GitHub Copilot Plugin versions prior to 1.1.7

Description

Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur is vulnerable to the following vulnerability.

• Cleartext storage of sensitive information (CWE-312)
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 5.1
  • CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Base Score 6.8
  • CVE-2025-58401

Impact

An attacker may obtain the GitHub API token used by the plugin and perform unauthorized operations on the linked GitHub account.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Rui Nakajima reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

• JVN
• HOME
• What is JVN ?
• Instructions
• List of Vulnerability Report
• VN_JP
• VN_JP(Unreachable)
• VN_VU
• TA
• TRnotes
• JVN iPedia
• MyJVN
• JVNJS/RSS
• Vendor List
• List of unreachable developers
• Contact