CVE-2025-25204
📋 TL;DR
A bug in GitHub's CLI tool `gh` causes the `gh attestation verify` command to incorrectly return a zero exit status when no attestations are present, instead of signaling verification failure. This allows attackers to bypass deployment gatekeeping that relies on exit codes, potentially enabling malicious artifact deployment. Users of `gh` versions 2.49.0 through 2.66.0 who use attestation verification in automated pipelines are affected.
💻 Affected Systems
- GitHub CLI (gh)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can deploy malicious artifacts into production environments by bypassing attestation verification checks, potentially leading to supply chain compromise, data breaches, or system takeover.
Likely Case
Automated deployment pipelines that rely on exit codes from `gh attestation verify` may accept unverified artifacts, allowing unauthorized code execution in CI/CD environments.
If Mitigated
With proper controls like manual verification or additional security checks, the impact is limited to failed attestation checks requiring manual intervention.
🎯 Exploit Status
Exploitation requires ability to trigger `gh attestation verify` commands in target environments, typically through CI/CD pipelines or automation scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.67.0
Vendor Advisory: https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8
Restart Required: No
Instructions:
1. Update gh using your package manager: `brew upgrade gh` (macOS), `sudo apt update && sudo apt upgrade gh` (Debian/Ubuntu), or download from GitHub releases. 2. Verify version with `gh --version`. 3. Ensure all CI/CD systems and automation scripts use the updated version.
🔧 Temporary Workarounds
Manual exit code checking
allAdd explicit exit code checking in scripts to verify attestation presence before relying on exit status
# In bash scripts:
attestations=$(gh attestation verify <artifact> --json | jq '.attestations | length')
if [ "$attestations" -eq 0 ]; then
exit 1
fi
Disable attestation verification
allTemporarily disable or bypass attestation verification in deployment pipelines until patched
# Remove or comment out gh attestation verify commands in CI/CD pipelines
🧯 If You Can't Patch
- Implement manual review of all artifacts before deployment
- Add secondary verification steps independent of gh exit codes
🔍 How to Verify
Check if Vulnerable:
Run `gh --version` and check if version is between 2.49.0 and 2.66.0 inclusive. If using attestation verification, test with an artifact known to have no attestations and check exit code.Check Version:
gh --versionVerify Fix Applied:
Update to version 2.67.0+, then test `gh attestation verify` on an artifact with no attestations - it should return non-zero exit code.📡 Detection & Monitoring
Log Indicators:
- gh attestation verify commands returning success (exit code 0) for artifacts with no attestations
- Deployment logs showing artifacts passing verification without attestations
Network Indicators:
- Unusual artifact downloads or deployments following attestation verification
SIEM Query:
process.name:"gh" AND process.args:"attestation verify" AND event.outcome:"success"