## Semantic-Release v19.0.3 Patches Critical Secret Exposure Vulnerability (CVE-2022-31051)
A critical security vulnerability in the widely-used `semantic-release` automation tool has been patched, addressing a flaw that could expose sensitive secrets like API tokens and passwords to unauthorized actors. The vulnerability, tracked as CVE-2022-31051 (GHSA-x2pg-mjhr-2m5x), was present in versions prior to 19.0.3. The update is flagged as a security priority, indicating a direct risk to the integrity of automated release pipelines and the credentials they manage.

The vulnerability specifically affected the tool's secret masking functionality. In affected versions, secrets that should have been hidden from logs and output during the release process were not properly obscured. This failure could allow unauthorized individuals with access to build logs or CI/CD system output to view these credentials. The `semantic-release` package is a cornerstone of modern DevOps, automating versioning, changelog generation, and package publishing for countless Node.js projects, making this a high-impact vulnerability across the software supply chain.

The patch in version 19.0.3 resolves the masking failure. This incident underscores the persistent risk within software dependencies and the critical importance of promptly applying security updates to build tooling. Organizations and developers relying on `semantic-release` must upgrade immediately to mitigate the risk of credential leakage, which could lead to unauthorized repository access, compromised package registries, or further system infiltration.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2022-31051, DevOps Security, Supply Chain Vulnerability, Secret Leak, CI/CD
- **Credibility**: unverified
- **Published**: 2026-04-21 19:22:58
- **ID**: 74709
- **URL**: https://whisperx.ai/en/intel/74709