CVE-2024-53859Sensitive Information Exposure in CLI Go-gh V2

CWE-200Sensitive Information Exposure9 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 82.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com CLI Go-gh V2CLI Go-ghDebian Golang-github-cli-go-gh-v2+2 more
Timeline
PublishedNov 27
Latest updateMar 20

Description

go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Ent

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDcli/go-gh< 2.11.1

🔴Vulnerability Details

5
OSV
golang-github-cli-go-gh-v2 vulnerability2025-03-20
OSV
Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh2024-12-12
OSV
CVE-2024-53859: go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line2024-11-27
OSV
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace2024-11-27
GHSA
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace2024-11-27

📋Vendor Advisories

3
Ubuntu
go-gh vulnerability2025-03-20
Microsoft
go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace2024-11-12
Debian
CVE-2024-53859: golang-github-cli-go-gh-v2 - go-gh is a Go module for interacting with the `gh` utility and the GitHub API fr...2024
CVE-2024-53859 — Sensitive Information Exposure | cvebase