CVE-2024-54132 — Path Traversal in CLI CLI V2

CWE-22 — Path Traversal9 documents6 sources

Severity

6.3MEDIUMNVD

OSV6.5

EPSS

0.5%

top 33.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

CLI Github.com CLI CLI V2 Debian GH +5 more

Timeline

PublishedDec 4

Latest updateFeb 4

Description

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the …

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages8 packages

▶Gogithub.com/cli_cli_v2< 2.63.1

▶Gogithub.com/cli_cli1.14.0

▶CVEListV5cli/cli< 2.63.1

▶debiandebian/gh< gh 2.46.0-3 (sid)

▶msrcmsrc/azl3_gh_2.62.0-2_on_azure_linux_3.0

🔴Vulnerability Details

OSV

gh vulnerabilities↗2026-02-04

▶

GHSA

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability↗2024-12-04

▶

OSV

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability↗2024-12-04

▶

OSV

CVE-2024-54132: The GitHub CLI is GitHub’s official command line tool↗2024-12-04

▶

OSV

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli↗2024-12-04

▶

📋Vendor Advisories

Ubuntu

GitHub CLI vulnerabilities↗2026-02-04

▶

Microsoft

GitHub CLI allows downloading malicious GitHub Actions workflow artifact to result in path traversal vulnerability↗2024-12-10

▶

Debian

CVE-2024-54132: gh - The GitHub CLI is GitHub’s official command line tool. A security vulnerability ...↗2024

▶