CVE-2025-48938

30.05.2025, 19:15

go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

golang-github-cli-go-gh

bookworm	vulnerable
sid	vulnerable
trixie	vulnerable

golang-github-cli-go-gh-v2

sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-501 - Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.

References

https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go

https://github.com/cli/go-gh/commit/a08820a13f257d6c5b4cb86d37db559ec6d14577

https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563