CVE-2024-52308
published 2024-11-14CVE-2024-52308: The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh…
PriorityP259critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.86%
53.9th percentile
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.
Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.
In `2.62.0`, the remote username information is being validated before being used.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cli | cli | <= 2.61.0 | — |
| debian | gh | < gh 2.46.0-2 (sid) | gh 2.46.0-2 (sid) |
| github.com | cli_cli | >= 0 < 2.62.0 | 2.62.0 |
| github.com | cli_cli_v2 | >= 0 < 2.62.0 | 2.62.0 |
| github | cli | < 2.62.0 | 2.62.0 |
| msrc | azl3_gh_2.43.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_gh_2.62.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SSH process invocations spawned by the GitHub CLI (`gh`) process where the username argument contains `-oProxyCommand` or a `#` shell comment character, indicating SSH argument injection via a malicious remote username. ↗
- →Detect child processes spawned by `gh` (GitHub CLI) that are not expected SSH subprocesses — particularly any process launched via ProxyCommand, which would be a grandchild of `gh` via `ssh`. ↗
- →Alert on use of `gh codespace ssh` or `gh codespace logs` commands against codespaces with third-party or unverified devcontainer images, as these are the attack surface for this RCE. ↗
- ·Only GitHub CLI versions 2.6.1 and earlier are vulnerable; version 2.62.0 introduces validation of the remote username before use, mitigating the injection. ↗
- ·The vulnerability is triggered only when connecting to a codespace whose devcontainer runs a modified/malicious SSH server that returns attacker-controlled values in SSH connection details (e.g., remote username). ↗
- ·Debian Bookworm remains open/unpatched as of the security tracker; Sid and Trixie are resolved at package version 2.46.0-2. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vendor_debian8.0HIGH
vendor_msrc8.0HIGH
vendor_ubuntu8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GitHub CLI vulnerability
vendor_ubuntu·2024-11-26·CVSS 8.0
CVE-2024-52308 [HIGH] GitHub CLI vulnerability
Title: GitHub CLI vulnerability
Summary: GitHub CLI could be made to run programs as your login if it
connected to a malicious server.
It was discovered that GitHub CLI incorrectly handled username
validation. An attacker could possibly use this issue to perform
remote code execution if the user connected to a malicious server.
(CVE-2024-52308)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
vendor_msrc·2024-11-12·CVSS 8.0
CVE-2024-52308 [HIGH] CWE-77 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediat
Debian
CVE-2024-52308: gh - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution...
vendor_debian·2024·CVSS 8.0
CVE-2024-52308 [HIGH] CVE-2024-52308: gh - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution...
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300
OSV
gh vulnerability
osv·2024-11-26·CVSS 9.6
CVE-2024-52308 [CRITICAL] gh vulnerability
gh vulnerability
It was discovered that GitHub CLI incorrectly handled username
validation. An attacker could possibly use this issue to perform
remote code execution if the user connected to a malicious server.
(CVE-2024-52308)
OSV
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli
osv·2024-11-19
CVE-2024-52308 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli
OSV
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
osv·2024-11-14
CVE-2024-52308 [HIGH] Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
### Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.
### Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-co
OSV
CVE-2024-52308: The GitHub CLI version 2
osv·2024-11-14·CVSS 9.6
CVE-2024-52308 [CRITICAL] CVE-2024-52308: The GitHub CLI version 2
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300
GHSA
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
ghsa·2024-11-14
CVE-2024-52308 [HIGH] CWE-77 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
### Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.
### Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-14
Published