Login Sign Up

CVE-2025-48938

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

A critical vulnerability in go-gh versions before 2.12.1 allows remote code execution when users interact with malicious GitHub Enterprise Server instances. Attackers can replace HTTP URLs with local file paths, tricking the browser module into executing arbitrary commands on the victim's machine. This affects anyone using vulnerable go-gh modules in their GitHub CLI extensions.

💻 Affected Systems

Products:
  • go-gh
Versions: All versions prior to 2.12.1
Operating Systems: All platforms where go-gh is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configurations when interacting with GitHub Enterprise Server instances.

📦 What is this software?

Go Gh by Cli

View all CVEs affecting Go Gh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local file system access leading to credential theft, data exfiltration, or lateral movement within the victim's environment.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, though local execution could still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction with a malicious GitHub Enterprise Server, but no authentication is needed once that interaction occurs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.1

Vendor Advisory: https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563

Restart Required: No

Instructions:

1. Update go-gh to version 2.12.1 or later using your package manager. 2. For Go modules: run 'go get github.com/cli/go-gh/v2@v2.12.1'. 3. Rebuild any applications using go-gh dependencies.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states no workarounds exist other than upgrading.

🧯 If You Can't Patch

  • Restrict access to untrusted GitHub Enterprise Server instances
  • Implement application allowlisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check go-gh version: 'go list -m github.com/cli/go-gh/v2' or examine go.mod/go.sum files for versions <2.12.1.

Check Version:

go list -m github.com/cli/go-gh/v2

Verify Fix Applied:

Confirm version is 2.12.1 or higher using 'go list -m github.com/cli/go-gh/v2' and verify the commit includes a08820a13f257d6c5b4cb86d37db559ec6d14577.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file:// URL schemes in browser module logs
  • Process execution from go-gh with unusual arguments

Network Indicators:

  • Connections to suspicious GitHub Enterprise Server instances followed by local file access

SIEM Query:

Process creation where parent process contains 'go-gh' AND command line contains 'file://' scheme

📊 Metadata

CVE ID: CVE-2025-48938
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-501
EPSS Score: 0.12% exploit probability (30.6th percentile)
Published: May 30, 2025
Last Updated: October 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48938, you might also want to check these:

CVE-2026-25725 10.0

This vulnerability allows malicious code running inside Claude Code's sandbox to create a missing se...

Same vulnerability type (CWE-501)
CVE-2023-28597 8.3

Zoom clients before version 5.13.5 have a vulnerability where saving recordings to SMB locations and...

Same vulnerability type (CWE-501)
CVE-2025-14542 7.5

This vulnerability allows malicious providers to execute arbitrary commands on client systems by ser...

Same vulnerability type (CWE-501)