Github.Com Cli Cli V2 vulnerabilities

CVE-2025-25204 [MEDIUM] CWE-390 `gh attestation verify` returns incorrect exit code during verification if no attestations are present `gh attestation verify` returns incorrect exit code during verification if no attestations are present ### Summary A bug in GitHub's Artifact Attestation CLI tool, `gh attestation verify`, may return an incorrect zero exit status when no matching attestations are found for the specified `--predicate-type ` or the default `https://slsa.dev/provenance/v1` if not

CVE-2024-54132 [MEDIUM] CWE-22 Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability ### Summary A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through `gh run download`. ### Details This vulnerability stems from a GitHu

CVE-2024-53858 [MEDIUM] CWE-200 Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts ### Summary A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. ### Details This vulnerability stems from several `gh` commands used to clo

CVE-2024-52308 [HIGH] CWE-77 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer ### Summary A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands. ### Details The vulnerability