CVE-2025-25204

Feb. 14, 2025, 5:15 p.m.

6.3
Medium

Description

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.

Product(s) Impacted

Product Versions
GitHub CLI (gh)
  • ['2.49.0 - 2.66.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-390
Detection of Error Condition Without Action
The product detects a specific error, but takes no actions to handle the error.

References

https://github.com/cli/cli/issues/10418
https://github.com/cli/cli/pull/10421
https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8

Tags

security-advisories@github.com
CWE-390
2025-02-14
CVE-2025-25204

CVSS Score

6.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

    View Vector String

Timeline

Published: Feb. 14, 2025, 5:15 p.m.
Last Modified: Feb. 14, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.