SC-TRAVIS-LEAK-2021

Summary

Between September 3 and September 10, 2021 a flaw in Travis CI's build activation process, tracked as CVE-2021-41077 and disclosed publicly on September 13, caused secure environment variables to be injected into builds they should never reach. Secret data normally restricted to the private context of a repository was unexpectedly shared with builds triggered by pull requests from forks of public repositories, contradicting the customer's .travis.yml configuration. As a result anyone could fork a public project, open a pull request, and simply print the build environment to read the upstream project's secret environment variables, exposing signing keys, access credentials, and API tokens across thousands of open-source projects. This was a secret-exfiltration-to-forked-builds class flaw; Ethereum's Felix Lange flagged it on September 7 and Travis CI silently patched it on September 10 with no initial post-mortem, prompting affected projects such as conda-forge to rotate roughly 70 feedstock tokens.

How to avoid it in your code

• Rotate every CI signing key, token, and credential exposed to builds during a CI vendor's secret-leak window.
• Do not expose repository secrets to pull-request builds originating from forks; gate secret-bearing stages to trusted branches.
• Split pipelines into an untrusted fork-build stage with no secrets and a trusted post-merge stage that holds them.
• Treat any secret that ever entered a public-repo build context as compromised and replace it.
• Prefer short-lived OIDC credentials per job over static secret environment variables stored at the CI provider.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-41077
• https://conda-forge.org/blog/2021/09/24/travis-security/
• https://thehackernews.com/2021/09/travis-ci-flaw-exposes-secrets-of.html
• https://www.theregister.com/2021/09/15/travis_ci_leak/