CVE-2025-25204

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...

CVE-2025-25204 `gh attestation verify` returns incorrect exit code during verification if no attestations are present

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...

GitHub CLI 安全漏洞

GitHub CLI is the GitHub CLI open source for GitHub on the command line. A security vulnerability exists in GitHub CLI versions prior to 2.49.0 through 2.67.0, which stems from the gh attestation verify tool returning an error in status, which could lead an attacker to deploy malicious artifacts...

Azure Linux 3.0 Security Update: gh (CVE-2024-54132)

The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-54132 advisory. - The GitHub CLI is GitHub's official command line tool. A security vulnerability has been identified in GitHub CL...

CVE-2024-52308

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running with...

Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in the gh cli

...

Authentication Token Leakage

github.com/cli/cli is vulnerable to authentication token leakage. The vulnerability is due to improper handling of the credential.helper configuration when cloning repositories with git submodules hosted outside of GitHub.com and ghe.com, causing authentication tokens to be exposed...

CBL Mariner 2.0 Security Update: gh (CVE-2024-54132)

The version of gh installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-54132 advisory. - The GitHub CLI is GitHub's official command line tool. A security vulnerability has been identified in GitHub CL...

Directory Traversal

The github.com/cli/cli is vulnerable to a Directory Traversal. The vulnerability is due to improper handling of artifact names during download when using the gh run download command. Specifically, if a malicious GitHub Actions workflow artifact is named .., the files within the artifact are...

Remote Code Execution (RCE)

GitHub CLI is vulnerable to Remote Code Execution RCE. The vulnerability is due to unvalidated SSH connection details, allowing a malicious devcontainer to inject arguments that execute arbitrary commands when using gh codespace ssh or gh codespace logs...

SUSE CVE-2024-53858

The gh cli is GitHub's official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several gh commands...

SUSE CVE-2024-54132

The GitHub CLI is GitHub's official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

DEBIAN-CVE-2024-54132

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

CVE-2024-54132

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

AZL-54009 CVE-2024-54132 affecting package gh for versions less than 2.13.0-23

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

UBUNTU-CVE-2024-54132

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. Details This vulnerability stems from a GitHub Actions workflow artifact name...

GHSA-2M9H-R57G-45PJ Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. Details This vulnerability stems from a GitHub Actions workflow artifact name...

CVE-2024-54132 GitHub CLI allows downloading malicious GitHub Actions workflow artifact to result in path traversal vulnerability

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

CVE-2024-54132

Summary: CVE-2024-54132 affects GitHub CLI (gh). When a user downloads a GitHub Actions workflow artifact named .. using gh run download, the artifact name and the --dir value determine the extraction path, causing files within the artifact to be extracted one directory higher than intended. This...