cbcvebase.
CVE-2025-48938
published 2025-05-30

CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.3th percentile
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

Affected

5 ranges
VendorProductVersion rangeFixed in
cligo-gh< 2.12.12.12.1
debiangolang-github-cli-go-gh
debiangolang-github-cli-go-gh-v2
github.comcli_go-gh_v2>= 0 < 2.12.12.12.1
msrcazl3_gh_2.62.0-9_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered when an attacker-controlled GitHub Enterprise Server replaces HTTP URLs with local file paths, causing arbitrary command execution via the browser open mechanism. Monitor for `Browser.Browse()` calls or equivalent OS-level browser-open invocations that receive `file://` or local filesystem paths (e.g., paths starting with `/`) instead of `http://` or `https://` URLs.
  • Focus detection on go-gh versions prior to 2.12.1 where `Browser.Browse()` does not validate or restrict file system paths. Identify installations of golang-github-cli-gh / go-gh < 2.12.1 in your environment as a priority triage signal.
  • In `2.12.1`, `Browser.Browse()` was patched to enforce allow/disallow logic for file system paths. Use this as a code-level detection reference: any fork or vendored copy of go-gh that lacks the updated `Browser.Browse()` validation logic is vulnerable.
  • ·The attack requires the user to be connected to an attacker-controlled GitHub Enterprise Server (GHES) instance. The malicious GHES substitutes local file paths for HTTP URLs returned to the go-gh client, so the attack surface is limited to environments where users authenticate against untrusted or compromised GHES endpoints.
  • ·No known workarounds exist other than upgrading go-gh to version 2.12.1 or later. Downstream distributions (Debian bookworm/forky/sid/trixie, Fedora 42, Azure Linux/CBL-Mariner) may still carry vulnerable versions — check package versions independently.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.6LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.6LOW
vendor_debian2.6LOW
vendor_msrc2.6LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.