CVE-2024-53858
published 2024-11-27CVE-2024-53858: The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when…
PriorityP432medium6.5CVSS 3.1
AVLACHPRNUIRSUCHIHAL
EPSS
0.28%
19.8th percentile
The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage: 1. `GITHUB_ENTERPRISE_TOKEN`, 2. `GH_ENTERPRISE_TOKEN` and 3. `GITHUB_TOKEN` when the `CODESPACES` environment variable is set. The result being `git` sending authentication tokens when cloning submodules. In version `2.63.0`, these GitHub CLI commands will limit the hosts for which `gh` acts as a credential helper to source authentication tokens. Additionally, `GITHUB_TOKEN` will only be used for GitHub.com and ghe.com. Users are advised to upgrade. Additionally users are advised to revoke authentication tokens used with the GitHub CLI and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cli | cli | < 2.63.0 | 2.63.0 |
| debian | gh | < gh 2.46.0-3 (sid) | gh 2.46.0-3 (sid) |
| github.com | cli_cli_v2 | >= 0 < 2.63.0 | 2.63.0 |
| msrc | azl3_gh_2.62.0-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_gh_2.62.0-8_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gh_2.13.0-24_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
gh vulnerabilities
osv·2026-02-04·CVSS 6.5
CVE-2024-54132 [MEDIUM] gh vulnerabilities
gh vulnerabilities
It was discovered that GitHub CLI could behave unexpectedly if users
downloaded a malicious GitHub Actions workflow artifact through gh run
download. An attacker could possibly use this issue to create or overwrite
files in unintended directories. (CVE-2024-54132)
It was discovered that GitHub CLI could behave unexpectedly when cloning
repositories containing git submodules hosted outside of GitHub.com and
ghe.com. An attacker could possibly use this issue to gather authentication
tokens. (CVE-2024-53858)
OSV
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli
osv·2024-12-02
CVE-2024-53858 Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli
OSV
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
osv·2024-11-27
CVE-2024-53858 [MEDIUM] Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
### Summary
A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com.
### Details
This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, `gh pr checkout`. These GitHub CLI commands invoke `git` with instructions to retrieve authentication tokens using the [`credential.helper`](https://git-scm.com/docs/gitcredentials) configuration variable for any host encountered.
Prior to `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise
GHSA
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
ghsa·2024-11-27
CVE-2024-53858 [MEDIUM] CWE-200 Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts
### Summary
A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com.
### Details
This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, `gh pr checkout`. These GitHub CLI commands invoke `git` with instructions to retrieve authentication tokens using the [`credential.helper`](https://git-scm.com/docs/gitcredentials) configuration variable for any host encountered.
Prior to `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise
OSV
CVE-2024-53858: The gh cli is GitHub’s official command line tool
osv·2024-11-27·CVSS 6.5
CVE-2024-53858 [MEDIUM] CVE-2024-53858: The gh cli is GitHub’s official command line tool
The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to
Ubuntu
GitHub CLI vulnerabilities
vendor_ubuntu·2026-02-04·CVSS 6.5
CVE-2024-53858 [MEDIUM] GitHub CLI vulnerabilities
Title: GitHub CLI vulnerabilities
Summary: Several security issues were fixed in GitHub CLI.
It was discovered that GitHub CLI could behave unexpectedly if users
downloaded a malicious GitHub Actions workflow artifact through gh run
download. An attacker could possibly use this issue to create or overwrite
files in unintended directories. (CVE-2024-54132)
It was discovered that GitHub CLI could behave unexpectedly when cloning
repositories containing git submodules hosted outside of GitHub.com and
ghe.com. An attacker could possibly use this issue to gather authentication
tokens. (CVE-2024-53858)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in the gh cli
vendor_msrc·2024-11-12·CVSS 6.5
CVE-2024-53858 [MEDIUM] CWE-200 Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in the gh cli
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in the gh cli
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remed
Debian
CVE-2024-53858: gh - The gh cli is GitHub’s official command line tool. A security vulnerability has ...
vendor_debian·2024·CVSS 6.5
CVE-2024-53858 [MEDIUM] CVE-2024-53858: gh - The gh cli is GitHub’s official command line tool. A security vulnerability has ...
The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to
No detection rules found.
No public exploits indexed.
2024-11-27
Published