## Semantic-Release v19.0.3 Patches Critical Secret Disclosure Vulnerability (CVE-2022-31051)
A critical security vulnerability in the widely-used `semantic-release` automation tool has been patched, addressing a flaw that could accidentally expose sensitive secrets like API tokens and passwords. The vulnerability, tracked as CVE-2022-31051, stems from the tool's secret masking mechanism failing to properly encode certain characters, potentially leaking them in logs or error messages during the release process. This poses a direct risk to any development pipeline using the tool, where exposed credentials could be harvested by malicious actors.

The core of the issue lies in the `encodeURI` function's behavior, which excludes specific characters from encoding. When secrets contain these excluded characters, `semantic-release`'s masking process fails, leaving the raw secret visible. The patch in version 19.0.3 fixes this encoding oversight. The update was flagged as a security priority in dependency management systems, prompting automated pull requests from tools like RenovateBot to upgrade from the vulnerable version 19.0.2.

This incident highlights the persistent supply chain risks in modern software development, where a single widely adopted tool can become a vector for credential leakage across countless projects. Teams relying on `semantic-release` for automated versioning and publishing must apply the update immediately to mitigate the risk of accidental secret disclosure. The silent nature of such a leak—where credentials appear in build logs without clear warning—makes proactive patching essential for maintaining pipeline security and preventing potential downstream compromises.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, vulnerability, CVE-2022-31051, devops
- **Credibility**: unverified
- **Published**: 2026-03-30 21:27:08
- **ID**: 41853
- **URL**: https://whisperx.ai/en/intel/41853