Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via host resolution in the CLI authentication layer. An attacker can obtain authentication tokens intended for GitHub or GitHub Enterprise by causing authenticated requests to be sent to external hosts, as the ho...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via host resolution in the CLI authentication layer. An attacker can obtain authentication tokens intended for GitHub or GitHub Enterprise by causing authenticated requests to be sent to external hosts, as the ho...

Azure Linux 3.0 Security Update: gh (CVE-2024-52308)

The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-52308 advisory. - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace S...

CVE-2025-62379

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

CVE-2025-62379 Open Redirect in reflex-dev/reflex

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

CVE-2025-62379 Open Redirect in reflex-dev/reflex

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

CVE-2025-62379

Reflex (Python web app framework) versions 0.5.4–0.8.14 contain an Open Redirect in the /auth-codespace route: the redirect_to query parameter is assigned directly to client-side links without validation, triggering automatic navigation, which can redirect users to arbitrary external URLs. The vu...

CVE-2025-62379 Open Redirect in reflex-dev/reflex

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

EUVD-2024-3396

Malicious code in bioql PyPI...

EUVD-2024-3287

Malicious code in bioql PyPI...

go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

...

Authentication Token Leakage

github.com/cli/go-gh is vulnerable to authentication token leakage. The vulnerability is due to improper handling of authentication tokens, where auth.TokenForHost could source a token from the GITHUBTOKEN environment variable for non-GitHub hosts within a codespace...

GO-2024-3295 Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh

Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh...

CVE-2024-53859

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

AZL-53453 CVE-2024-53859 affecting package gh for versions less than 2.62.0-5

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

UBUNTU-CVE-2024-53859

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

GHSA-55V3-XH23-96GH `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: - GITHUBTOKEN...

`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: - GITHUBTOKEN...

CVE-2024-53859

The CVE-2024-53859 issue affects the go-gh Go module used to interact with gh and GitHub, where auth.TokenForHost could pull a token from GITHUB_TOKEN (or GH_TOKEN) for non‑GitHub hosts when running in a codespace prior to version 2.11.1. In 2.11.1, token sourcing is restricted to GitHub.com or g...

CVE-2024-53859 go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...