CVE-2024-53858Sensitive Information Exposure in CLI CLI V2

CWE-200Sensitive Information Exposure10 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 83.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
CLIGithub.com CLI CLI V2Debian GH+3 more
Timeline
PublishedNov 27
Latest updateFeb 4

Description

The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve au

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:LExploitability: 1.0 | Impact: 5.5

Affected Packages6 packages

CVEListV5cli/cli< 2.63.0
debiandebian/gh< gh 2.46.0-3 (sid)

🔴Vulnerability Details

5
OSV
gh vulnerabilities2026-02-04
OSV
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli2024-12-02
OSV
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts2024-11-27
GHSA
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts2024-11-27
OSV
CVE-2024-53858: The gh cli is GitHub’s official command line tool2024-11-27

📋Vendor Advisories

3
Ubuntu
GitHub CLI vulnerabilities2026-02-04
Microsoft
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in the gh cli2024-11-12
Debian
CVE-2024-53858: gh - The gh cli is GitHub’s official command line tool. A security vulnerability has ...2024

🕵️Threat Intelligence

1
Bleepingcomputer
Clone2Leak attacks exploit Git flaws to steal credentials2025-01-27
CVE-2024-53858 — Sensitive Information Exposure | cvebase