CVE-2025-48938

30.05.2025, 19:15

go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Vendor	Product	Version
cli	go-gh	𝑥 < 2.12.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-github-cli-go-gh

bookworm	no-dsa
trixie	no-dsa
forky	vulnerable
sid	vulnerable

golang-github-cli-go-gh-v2

forky	vulnerable
sid	vulnerable
trixie	no-dsa
bookworm	no-dsa

Common Weakness Enumeration

CWE-501 - Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.

References

https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go

https://github.com/cli/go-gh/commit/a08820a13f257d6c5b4cb86d37db559ec6d14577

https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563