diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 29a06a80a..8c0129427 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -122615,8 +122615,8 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
       );
     }
     const baseCredential = { type: e.type };
-    if (isDefined2(e["replaces-base"])) {
-      if (typeof e["replaces-base"] === "boolean") {
+    if ("replaces-base" in e) {
+      if (isDefined2(e["replaces-base"]) && typeof e["replaces-base"] === "boolean") {
         baseCredential["replaces-base"] = e["replaces-base"];
       } else {
         throw new ConfigurationError(
diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts
index d1e05aea1..aec3661cb 100644
--- a/src/start-proxy.test.ts
+++ b/src/start-proxy.test.ts
@@ -639,6 +639,76 @@ test(
   },
 );
 
+test("getCredentials validates 'replaces-base' correctly", async (t) => {
+  // Valid cases.
+  const credentialsInput = toEncodedJSON([
+    {
+      type: "maven_repository",
+      host: "maven1.pkg.github.com",
+      token: "abc",
+      "replaces-base": false,
+    },
+    {
+      type: "maven_repository",
+      host: "maven2.pkg.github.com",
+      token: "def",
+      "replaces-base": true,
+    },
+    {
+      type: "maven_repository",
+      host: "maven3.pkg.github.com",
+      token: "ghi",
+    },
+  ]);
+
+  const credentials = startProxyExports.getCredentials(
+    getRunnerLogger(true),
+    undefined,
+    credentialsInput,
+    BuiltInLanguage.java,
+    false,
+  );
+
+  t.is(credentials.length, 3);
+  t.true(credentials.some((c) => c["replaces-base"] === true));
+  t.true(credentials.some((c) => c["replaces-base"] === false));
+  t.true(credentials.some((c) => c["replaces-base"] === undefined));
+
+  // Invalid cases.
+  const baseInvalid = {
+    type: "maven_repository",
+    host: "maven4.pkg.github.com",
+    token: "jkl",
+  };
+  t.throws(() =>
+    startProxyExports.getCredentials(
+      getRunnerLogger(true),
+      undefined,
+      toEncodedJSON([{ ...baseInvalid, "replaces-base": null }]),
+      BuiltInLanguage.actions,
+      false,
+    ),
+  );
+  t.throws(() =>
+    startProxyExports.getCredentials(
+      getRunnerLogger(true),
+      undefined,
+      toEncodedJSON([{ ...baseInvalid, "replaces-base": 123 }]),
+      BuiltInLanguage.actions,
+      false,
+    ),
+  );
+  t.throws(() =>
+    startProxyExports.getCredentials(
+      getRunnerLogger(true),
+      undefined,
+      toEncodedJSON([{ ...baseInvalid, "replaces-base": "true" }]),
+      BuiltInLanguage.actions,
+      false,
+    ),
+  );
+});
+
 test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
   const credentialsInput = toEncodedJSON(mixedCredentials);
 
diff --git a/src/start-proxy.ts b/src/start-proxy.ts
index 8289fd634..1013ae386 100644
--- a/src/start-proxy.ts
+++ b/src/start-proxy.ts
@@ -350,8 +350,12 @@ export function getCredentials(
     // Construct the base credential object.
     const baseCredential: Omit<Registry, keyof Address> = { type: e.type };
 
-    if (isDefined(e["replaces-base"])) {
-      if (typeof e["replaces-base"] === "boolean") {
+    // If "replaces-base" is present, it must be a boolean.
+    if ("replaces-base" in e) {
+      if (
+        isDefined(e["replaces-base"]) &&
+        typeof e["replaces-base"] === "boolean"
+      ) {
         baseCredential["replaces-base"] = e["replaces-base"];
       } else {
         throw new ConfigurationError(