CVE-2025-48938
published 2025-05-30CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.3th percentile
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cli | go-gh | < 2.12.1 | 2.12.1 |
| debian | golang-github-cli-go-gh | — | — |
| debian | golang-github-cli-go-gh-v2 | — | — |
| github.com | cli_go-gh_v2 | >= 0 < 2.12.1 | 2.12.1 |
| msrc | azl3_gh_2.62.0-9_on_azure_linux_3.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when an attacker-controlled GitHub Enterprise Server replaces HTTP URLs with local file paths, causing arbitrary command execution via the browser open mechanism. Monitor for `Browser.Browse()` calls or equivalent OS-level browser-open invocations that receive `file://` or local filesystem paths (e.g., paths starting with `/`) instead of `http://` or `https://` URLs. ↗
- →Focus detection on go-gh versions prior to 2.12.1 where `Browser.Browse()` does not validate or restrict file system paths. Identify installations of golang-github-cli-gh / go-gh < 2.12.1 in your environment as a priority triage signal. ↗
- →In `2.12.1`, `Browser.Browse()` was patched to enforce allow/disallow logic for file system paths. Use this as a code-level detection reference: any fork or vendored copy of go-gh that lacks the updated `Browser.Browse()` validation logic is vulnerable. ↗
- ·The attack requires the user to be connected to an attacker-controlled GitHub Enterprise Server (GHES) instance. The malicious GHES substitutes local file paths for HTTP URLs returned to the go-gh client, so the attack surface is limited to environments where users authenticate against untrusted or compromised GHES endpoints. ↗
- ·No known workarounds exist other than upgrading go-gh to version 2.12.1 or later. Downstream distributions (Debian bookworm/forky/sid/trixie, Fedora 42, Azure Linux/CBL-Mariner) may still carry vulnerable versions — check package versions independently. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.6LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.6LOW
vendor_debian2.6LOW
vendor_msrc2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
vendor_msrc·2025-05-13·CVSS 2.6
CVE-2025-48938 [LOW] CWE-501 Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2025-48938: golang-github-cli-go-gh - go-gh is a collection of Go modules to make authoring GitHub CLI extensions easi...
vendor_debian·2025·CVSS 2.6
CVE-2025-48938 [LOW] CVE-2025-48938: golang-github-cli-go-gh - go-gh is a collection of Go modules to make authoring GitHub CLI extensions easi...
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
Scope: local
bookworm: open
forky: open
sid: open
trixie: open
OSV
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
osv·2025-06-03
CVE-2025-48938 GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
OSV
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
osv·2025-05-30
CVE-2025-48938 [MEDIUM] Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
### Summary
A security vulnerability has been identified in `go-gh` where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.
### Details
The GitHub CLI and CLI extensions allow users to transition from their terminal for a variety of use cases through the [`Browser` capability in `github.com/cli/go-gh/v2/pkg/browser`](https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go):
- Using the `-w, --web` flag, GitHub CLI users can view GitHub repositories, issues, pull requests, and more using their web
GHSA
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
ghsa·2025-05-30
CVE-2025-48938 [MEDIUM] CWE-501 Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
### Summary
A security vulnerability has been identified in `go-gh` where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.
### Details
The GitHub CLI and CLI extensions allow users to transition from their terminal for a variety of use cases through the [`Browser` capability in `github.com/cli/go-gh/v2/pkg/browser`](https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go):
- Using the `-w, --web` flag, GitHub CLI users can view GitHub repositories, issues, pull requests, and more using their web
OSV
CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier
osv·2025-05-30·CVSS 2.6
CVE-2025-48938 [LOW] CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
No detection rules found.
No public exploits indexed.
2025-05-30
Published