Summary
Workarounds
Upgrade to setup-php 2.37.1 or newer. You can also avoid the affected path by using a patched Composer version: 2.9.8, 2.2.28, 1.10.28, or newer supported Composer releases.
It is recommended to avoid pinning affected Composer versions such as composer:2.9.7, unless you have automations to do timely updates in your workflows.
Impact
This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7.
Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions.
setup-php does not directly print the token. The token may be exposed through Composer when Composer validates github-oauth auth and rejects GitHub's newer hyphen-containing token format.
Public repository logs may expose the token. GitHub-hosted runner GITHUB_TOKEN values expire after the job, but exposure may still matter during the token lifetime and for longer-lived GitHub App or user tokens.
GHSA-5WXR-W449-57CM has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.37.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
setup-php 2.37.1 skips generated GitHub OAuth auth for pinned Composer versions affected by Composer GHSA-f9f8-rm49-7jv2 while preserving other Composer auth, including Packagist auth.
Frequently Asked Questions
- What is GHSA-5WXR-W449-57CM? GHSA-5WXR-W449-57CM is a medium-severity security vulnerability in shivammathur/setup-php (actions), affecting versions < 2.37.1. It is fixed in 2.37.1.
- How severe is GHSA-5WXR-W449-57CM? GHSA-5WXR-W449-57CM has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of shivammathur/setup-php are affected by GHSA-5WXR-W449-57CM? shivammathur/setup-php (actions) versions < 2.37.1 is affected.
- Is there a fix for GHSA-5WXR-W449-57CM? Yes. GHSA-5WXR-W449-57CM is fixed in 2.37.1. Upgrade to this version or later.
- Is GHSA-5WXR-W449-57CM exploitable, and should I be worried? Whether GHSA-5WXR-W449-57CM is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-5WXR-W449-57CM is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-5WXR-W449-57CM? Upgrade
shivammathur/setup-phpto 2.37.1 or later.