Skip to content

chore(deps): update module github.com/cli/cli to v2 [security]#30

Open
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v5.8.0from
renovate/go-github.com-cli-cli-vulnerability
Open

chore(deps): update module github.com/cli/cli to v2 [security]#30
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v5.8.0from
renovate/go-github.com-cli-cli-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented May 10, 2026
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/cli/cli v1.14.0 -> v2.62.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-52308

Summary

A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.

Details

The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands.

This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored.

In 2.62.0, the remote username information is being validated before being used.

Impact

Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.

Remediation and Mitigation

  1. Upgrade gh to 2.62.0
  2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

CVE-2024-54132 / GHSA-2m9h-r57g-45pj / GO-2024-3310

More information

Details

Summary

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

Details

This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value.

In 2.63.1, gh run download will not download artifacts named .. and . and instead exit with the following error message:

error downloading ..: would result in path traversal
Impact

Successful exploitation heightens the risk of local path traversal attack vectors exactly 1 directory higher than intended.

Remediation and Mitigation
  1. Upgrade gh to 2.63.1
  2. Implement additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as .., to prevent path traversal risks.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Green

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

GitHub CLI: GitHub Actions log output in gh run view allows terminal escape sequence injection

CVE-2026-45803 / GHSA-crc3-h8v6-qh57

More information

Details

Summary

A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed.

Details

The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run.

Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands.

In 2.92.0, GitHub CLI sanitizes terminal control sequences in Actions log output before writing to the terminal.

PoC

Create a workflow that emits terminal escape sequences in its log output:

name: Escape Sequence PoC

on:
  workflow_dispatch:

jobs:
  emit-escape-sequences:
    runs-on: ubuntu-latest
    steps:
      - name: Emit terminal escape sequences
        run: |
          # OSC title set
          printf 'ESCAPE_MARKER_START \033]0;HIJACKED_TITLE\007 ESCAPE_MARKER_END\n'
          # CSI color
          printf 'ESCAPE_MARKER_START \033[31mRED_TEXT\033[0m ESCAPE_MARKER_END\n'
          # Screen title set (enables command execution in screen terminal)
          printf 'ESCAPE_MARKER_START \033k;malicious command;\033\\ ESCAPE_MARKER_END\n'

Then trigger the workflow and view its logs:

gh workflow run 'Escape Sequence PoC'
gh run view <run_id> --log

On vulnerable versions, the raw ESC bytes (0x1b) are passed through to the terminal unsanitized. On 2.92.0 and later, escape sequences are stripped and only the safe visible text is displayed.

Impact

An attacker who can control GitHub Actions workflow output can inject terminal escape sequences into a maintainer's terminal session when they inspect the run with gh run view --log or gh run view --log-failed. The practical impact depends on the victim's terminal emulator.

Remediation and Mitigation
  1. Upgrade gh to 2.92.0
  2. Pipe log output through a sanitizer (e.g., gh run view --log | cat -v) as a workaround on older versions
  3. Exercise caution when viewing logs from untrusted workflow runs

Severity

  • CVSS Score: 3.5 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

CVE-2024-52308 / GHSA-p2h2-3vg9-4p87 / GO-2024-3269

More information

Details

Summary

A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.

Details

The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands.

This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored.

In 2.62.0, the remote username information is being validated before being used.

Impact

Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.

Remediation and Mitigation
  1. Upgrade gh to 2.62.0
  2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.

Severity

  • CVSS Score: 8.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cli/cli (github.com/cli/cli)

v2.62.0: GitHub CLI 2.62.0

Compare Source

What's Changed

Full Changelog: cli/cli@v2.61.0...v2.62.0

Security

  • A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.

    For more information, see GHSA-p2h2-3vg9-4p87

GitHub CLI notifies users about latest extension upgrades

Similar to the notification of latest gh releases, the v2.62.0 version of GitHub CLI will notify users about latest extension upgrades when the extension is used:

$ gh ado2gh
...

A new release of ado2gh is available: 1.7.0 → 1.8.0
To upgrade, run: gh extension upgrade ado2gh --force
https://github.com/github/gh-ado2gh
Why does this matter?

This removes a common pain point of extension authors as they have had to reverse engineer and implement a similar mechanism within their extensions directly.

With this quality of life improvement, there are 2 big benefits:

  1. Extension authors will hopefully see increased adoption of newer releases while having lower bar to maintaining their extensions.
  2. GitHub CLI users will have greater awareness of new features, bug fixes, and security fixes to the extensions used.
What do you need to do?

Extension authors should review their extensions and consider removing any custom logic previously implemented to notify users of new releases.

v2.61.0: GitHub CLI 2.61.0

Compare Source

Ensure users understand consequences before making repository visibility changes

In v2.61.0, gh repo edit command has been enhanced to inform users about consequences of changing visibility and ensure users are intentional before making irreversible changes:

  1. Interactive gh repo edit visibility change requires confirmation when changing from public, private, or internal
  2. Non-interactive gh repo edit --visibility change requires new --accept-visibility-change-consequences flag to confirm
  3. New content to inform users of consequences
    • Incorporate GitHub Docs content into help usage and interactive gh repo edit experience
    • Expanded help usage to call out most concerning consequences
    • Display repository star and watcher counts to understand impact before confirming

What's Changed

New Contributors

Full Changelog: cli/cli@v2.60.1...v2.61.0

v2.60.1: GitHub CLI 2.60.1

Compare Source

This is a small patch release to fix installing gh via go install which was broken with v2.60.0.

What's Changed

Full Changelog: cli/cli@v2.60.0...v2.60.1

v2.60.0: GitHub CLI 2.60.0

Compare Source

What's Changed

Acceptance Test Changes

New Contributors

Full Changelog: cli/cli@v2.59.0...v2.60.0

v2.59.0: GitHub CLI 2.59.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.58.0...v2.59.0

v2.58.0: GitHub CLI 2.58.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.57.0...v2.58.0

v2.57.0: GitHub CLI 2.57.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.56.0...v2.57.0

v2.56.0: GitHub CLI 2.56.0

Compare Source

Important note about renewed GPG key

The Debian and RedHat releases have been signed with a new GPG key. If you are experiencing issues updating your .deb or .rpm packages, please read cli/cli#9569.

What's Changed

New Contributors

Full Changelog: cli/cli@v2.55.0...v2.56.0

v2.55.0: GitHub CLI 2.55.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.54.0...v2.55.0

v2.54.0: GitHub CLI 2.54.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.53.0...v2.54.0

v2.53.0: GitHub CLI 2.53.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.52.0...v2.53.0

v2.52.0: GitHub CLI 2.52.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.51.0...v2.52.0

v2.51.0: GitHub CLI 2.51.0

Compare Source

What's Changed

New Contributors

Full Changelog: cli/cli@v2.50.0...v2.51.0

v2.50.0: GitHub CLI 2.50.0

Compare Source

What's Changed

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate

alaudaa-renovate Bot commented May 10, 2026

Copy link
Copy Markdown
Author

ℹ Artifact update notice

File name: hack/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 12 additional dependencies were updated

Details:

Package Change
github.com/AlecAivazis/survey/v2 v2.2.14 -> v2.3.7
github.com/briandowns/spinner v1.11.1 -> v1.18.1
github.com/charmbracelet/glamour v0.3.0 -> v0.7.0
github.com/cli/browser v1.1.0 -> v1.3.0
github.com/cli/oauth v0.8.0 -> v1.1.1
github.com/gabriel-vasile/mimetype v1.1.2 -> v1.4.6
github.com/henvic/httpretty v0.0.6 -> v0.1.4
github.com/itchyny/gojq v0.12.4 -> v0.12.15
github.com/itchyny/timefmt-go v0.1.3 -> v0.1.5
github.com/muesli/reflow v0.2.0 -> v0.3.0
github.com/shurcooL/githubv4 v0.0.0-20200928013246-d292edc3691b -> v0.0.0-20240120211514-18a1ae0e79dc
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f -> v0.0.0-20230722043721-ed46e5a46466

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants