CVE-2025-48938 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-48938 PUBLISHED CVSS 2.5999999046325684 LOW

go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

EPSS 0.14% · 34.0th percentile

Risk Scores

CVSS v4.0

2.5999999046325684

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U

EPSS Score

0.14%

34.0th percentile

Affected Products

Vendor	Product	Versions
cli	go-gh	0, *, < 2.12.1
github.com	cli/go-gh/v2	0, 0

Timeline

Jan 21, 1970 Security Advisory
May 30, 2025 CVE Published
May 30, 2025 Coalition ESS Score
May 30, 2025 PoC Published
May 31, 2025 EPSS Score
May 31, 2025 Coalition ESS Score
Jun 2, 2025 Coalition ESS Score
Jun 4, 2025 CVE Updated
Jun 10, 2025 EPSS Score
Jun 21, 2025 EPSS Score
Jul 1, 2025 EPSS Score
Jul 11, 2025 EPSS Score

References

Open in Interactive Console →