Arbitrary Command Execution Vulnerability in go-gh by GitHub
CVE-2025-48938

2.6LOW

Key Information:

Vendor

Cli

Status
Go-gh
Vendor
CVE Published:
30 May 2025

What is CVE-2025-48938?

A vulnerability has been found in go-gh, a set of Go modules for creating GitHub CLI extensions, affecting versions before 2.12.1. This flaw allows an attacker with control over a GitHub Enterprise Server to manipulate HTTP URLs, potentially leading to the execution of arbitrary commands on a user's machine by substituting these URLs with local file paths. To mitigate this risk, users are recommended to upgrade to version 2.12.1, which includes enhancements to the Browser.Browse() function aimed at preventing unauthorized file access while maintaining functionality for HTTP URLs.

Affected Version(s)

go-gh < 2.12.1

References

https://github.com/cli/go-gh/security/advisories/GHSA-g9f...
x_refsource_CONFIRM
https://github.com/cli/go-gh/commit/a08820a13f257d6c5b4cb...
x_refsource_MISC
https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251...
x_refsource_MISC

CVSS V4

Score:
2.6
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.