CVE-2024-52009 Overview
Atlantis is a self-hosted Golang application that processes Terraform pull request events through webhooks. The application writes GitHub credentials, specifically tokens prefixed with ghs_, into its logs when those tokens are rotated. Any actor able to read Atlantis logs can extract these tokens and impersonate the Atlantis GitHub App. When Atlantis administers a GitHub organization, this disclosure grants attackers administrative privileges over that organization. The issue is tracked as GHSA-gppm-hq3p-h4rp and is classified as [CWE-532]: Insertion of Sensitive Information into Log File.
Critical Impact
Read access to Atlantis logs yields valid GitHub App tokens, enabling full impersonation of Atlantis and potential takeover of the connected GitHub organization.
Affected Products
- Runatlantis Atlantis versions prior to v0.30.0
- Atlantis deployments configured as a GitHub App with token rotation enabled
- Atlantis instances administering GitHub organizations
Discovery Timeline
- 2024-11-08 - CVE-2024-52009 published to NVD
- 2025-09-29 - Last updated in NVD database
Technical Details for CVE-2024-52009
Vulnerability Analysis
The flaw is a sensitive information exposure in log output. Atlantis uses GitHub App authentication, which periodically rotates installation tokens that begin with the ghs_ prefix. During the rotation routine, Atlantis writes the new token value into its application logs instead of redacting or masking it. The result is that any operator, container platform, log aggregator, or downstream user with access to those logs can recover a valid GitHub App token.
The credential is short-lived but remains valid long enough to authenticate against the GitHub API. An attacker reusing the token impersonates the Atlantis GitHub App and inherits every permission granted to that installation. In deployments where Atlantis manages organization-level resources, this includes administrative actions across repositories.
Root Cause
The root cause is missing redaction of secret material in the token rotation code path. Atlantis treats the rotated token like other diagnostic data and emits it through standard logging without applying a secret filter. The remediation in pull request #4667 removes the token from log statements and was shipped in Atlantis v0.30.0.
Attack Vector
Exploitation requires read access to Atlantis logs. This access can come from container stdout streams, mounted log files, centralized logging platforms such as CloudWatch, Loki, or Splunk, or backup archives. An attacker low-privileged on the logging stack but unauthorized on GitHub can extract a ghs_ token, then call the GitHub API directly to read private repository contents, modify protected branches, create webhooks, or alter organization settings depending on the App's scopes. No interaction with Atlantis itself is required after the token is captured.
The vulnerability mechanism is documented in GitHub Issue #4060 and the security advisory. No public proof-of-concept code is required because extraction is a simple log search for the ghs_ prefix.
Detection Methods for CVE-2024-52009
Indicators of Compromise
- Atlantis log entries containing strings matching the pattern ghs_[A-Za-z0-9]+, which indicates exposed GitHub App installation tokens.
- Unexpected GitHub audit log entries showing API calls from the Atlantis App outside normal Terraform plan or apply workflows.
- New webhooks, deploy keys, or collaborator additions on repositories administered by Atlantis that do not correspond to a tracked pull request.
Detection Strategies
- Grep historical Atlantis logs and log-aggregation indexes for the ghs_ token prefix to confirm whether credentials were ever written to disk.
- Correlate GitHub organization audit events with Atlantis pull request activity to identify API calls from the App that lack a matching webhook trigger.
- Monitor for token usage from source IP addresses that do not match the Atlantis deployment's egress addresses.
Monitoring Recommendations
- Forward GitHub organization audit logs to a SIEM and alert on App actions occurring outside expected automation windows.
- Implement log-scrubbing rules in the logging pipeline that redact strings matching GitHub token prefixes (ghs_, ghp_, gho_, ghu_, ghr_) before storage.
- Review IAM and RBAC on log storage to ensure only required operators can read Atlantis output.
How to Mitigate CVE-2024-52009
Immediate Actions Required
- Upgrade Atlantis to v0.30.0 or later, which contains the fix from pull request #4667.
- Rotate the GitHub App private key and revoke any installation tokens that may have been logged prior to upgrade.
- Audit existing log stores for the ghs_ prefix and purge or restrict access to any archives containing matches.
- Review GitHub organization audit logs for unauthorized App activity since the affected version was deployed.
Patch Information
The vulnerability is fixed in Atlantis v0.30.0. Upgrade instructions and release notes are available on the GitHub Release v0.30.0 Notes page. The corresponding code change is in Pull Request #4667. The vendor advisory states there are no supported workarounds, so patching is the only complete remediation.
Workarounds
- No vendor-supported workaround exists. If upgrade is delayed, restrict log read access to a minimal set of administrators and apply log-pipeline redaction for GitHub token prefixes.
- Reduce the blast radius by limiting the Atlantis GitHub App's permissions to the minimum required scopes, avoiding organization-administration grants where possible.
- Shorten log retention for Atlantis output until the upgrade is completed, then rotate the App private key after upgrading.
# Example: redact GitHub App tokens in a logging pipeline using sed
# Apply this filter before logs reach centralized storage
sed -E 's/ghs_[A-Za-z0-9]{36,}/ghs_[REDACTED]/g'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
