- Notifications
You must be signed in to change notification settings - Fork6.8k
Security: cli/cli
Security
.github/SECURITY.md
GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such ascli.
If you believe you have found a security vulnerability in GitHub CLI, you can report it to us in one of two ways:
Report it to this repository directly usingprivate vulnerability reporting.
- Include a description of your investigation of the GitHub CLI's codebase and why you believe an exploit is possible.
- POCs and links to code are greatly encouraged.
- Such reports are not eligible for a bounty reward.
Submit the report throughHackerOne to be eligible for a bounty reward.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Thanks for helping make GitHub safe for everyone.
- `gh attestation verify` returns incorrect exit code during verification when predicate types mismatchGHSA-fgw4-v983-mgp8 published
Feb 14, 2025 byBagToadModerate - Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerabilityGHSA-2m9h-r57g-45pj published
Dec 3, 2024 byjtmcgLow - Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computerGHSA-p2h2-3vg9-4p87 published
Nov 14, 2024 byandyfellerHigh - Recursive repository cloning can leak authentication tokens to non-GitHub submodule hostsGHSA-jwcm-9g39-pmcw published
Nov 27, 2024 byandyfellerModerate - GitHub CLI can execute a git binary from the current directoryGHSA-fqfh-778m-2v32 published
Nov 11, 2020 bymislavModerate
Learn more about advisories related tocli/cli in theGitHub Advisory Database