[Japanese]

JVNDB-2025-000072

Obsidian GitHub Copilot Plugin stores sensitive information in cleartext

Overview

Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur is vulnerable to the following vulnerability.
  • Cleartext storage of sensitive information (CWE-312) - CVE-2025-58401
Rui Nakajima reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
Affected Products


Pierre-Adrien Vasseur
  • Obsidian GitHub Copilot Plugin versions prior to 1.1.7

Impact

An attacker may obtain the GitHub API token used by the plugin and perform unauthorized operations on the linked GitHub account.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Pierre-Adrien Vasseur
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-58401
References

  1. JVN : JVN#41633999
Revision History

  • [2025/09/05]
      Web page was published