CVE-2025-54956: 
Linux Debian vulnerability analysis and mitigation

The gh package before version 1.5.0 for R contains a security vulnerability identified as CVE-2025-54956. The vulnerability was discovered and disclosed on August 3, 2025, affecting the R programming language package gh. The issue involves the exposure of sensitive information through HTTP response data structures that include Authorization headers from corresponding HTTP requests (NVD, Debian Tracker).

The vulnerability has been assigned a CVSS v3.1 base score of 3.2 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N. The technical nature of the vulnerability involves the gh package storing HTTP request headers, including Authorization headers, within the response data structure. This implementation could potentially expose sensitive authentication information. The vulnerability is classified under CWE-669 (Incorrect Resource Transfer Between Spheres) (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive authentication information contained in Authorization headers. If an attacker gains access to the stored response data structure, they could potentially extract authentication tokens or credentials. This is particularly concerning in scenarios where results are cached and inadvertently committed to version control systems (GitHub Issue).

The vulnerability has been fixed in gh package version 1.5.0. The fix involves modifying the package to no longer save request headers in the returned object. Users who previously relied on header information for pagination functions (ghnext(), ghprev(), ghfirst(), or ghlast()) will need to explicitly pass .token and/or .send_headers parameters to these functions (GitHub Commit).