Skip to content

GitHub CLI can execute a git binary from the current directory

Moderate severity GitHub Reviewed Published Nov 11, 2020 in cli/cli • Updated Jan 11, 2023

Package

gomod github.com/cli/cli (Go)

Affected versions

< 1.2.1

Patched versions

1.2.1

Description

Impact

GitHub CLI depends on a git.exe executable being found in system %PATH% on Windows. However, if a malicious .\git.exe or .\git.bat is found in the current working directory at the time of running gh, the malicious command will be invoked instead of the system one.

Windows users who run gh inside untrusted directories are affected.

Patches

Users should upgrade to GitHub CLI v1.2.1.

Workarounds

Other than avoiding untrusted repositories, there is no workaround.

References

golang/go#38736

References

@mislav mislav published to cli/cli Nov 11, 2020
Reviewed May 21, 2021
Published to the GitHub Advisory Database Feb 11, 2022
Last updated Jan 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-fqfh-778m-2v32

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.