CVE-2024-53859
go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.
EPSS 0.08% · 23.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | cli/go-gh | 0, 0 |
| github | go-gh | 0, 0 |
| cli | go-gh | < 2.11.1, < 2.11.1, 0 |
| github.com | cli/go-gh/v2 | 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2024-53859 (circl-sighting)
- CIRCL seen: CVE-2024-53859 (circl-sighting)
- https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh (circl)
- https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps (circl)
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log (circl)
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token (circl)
- https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens (circl)
- https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77 (circl)
Timeline
- Jan 21, 1970 Security Advisory
- Nov 27, 2024 CVE Published
- Nov 27, 2024 PoC Published
- Nov 28, 2024 EPSS Score
- Nov 29, 2024 Coalition ESS Score
- Dec 12, 2024 CVE Updated
- Dec 16, 2024 EPSS Score
- Jan 2, 2025 EPSS Score
- Jan 19, 2025 EPSS Score
- Feb 6, 2025 EPSS Score
- Feb 23, 2025 EPSS Score
- Mar 12, 2025 EPSS Score
References
- https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh url
- https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps url
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log url
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token url
- https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens url
- https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-53859 advisory
- https://github.com/cli/go-gh package
- https://pkg.go.dev/vuln/GO-2024-3295 url