CVE-2025-25204Detection of Error Condition Without Action in CLI CLI V2

CWE-390Detection of Error Condition Without Action7 documents5 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 56.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com CLI CLI V2CLIDebian GH+2 more
Timeline
PublishedFeb 14
Latest updateMar 3

Description

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy mal

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages5 packages

Gogithub.com/cli_cli_v22.49.02.67.0
CVEListV5cli/cli>= 2.49.0, < 2.67.0
debiandebian/gh

🔴Vulnerability Details

4
OSV
`gh attestation verify` returns incorrect exit code during verification if no attestations are present in github.com/cli/cli2025-03-03
OSV
`gh attestation verify` returns incorrect exit code during verification if no attestations are present2025-02-14
GHSA
`gh attestation verify` returns incorrect exit code during verification if no attestations are present2025-02-14
OSV
CVE-2025-25204: `gh` is GitHub’s official command line tool2025-02-14

📋Vendor Advisories

2
Microsoft
`gh attestation verify` returns incorrect exit code during verification if no attestations are present2025-02-11
Debian
CVE-2025-25204: gh - `gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prio...2025
CVE-2025-25204 — Github.com CLI CLI V2 vulnerability | cvebase