Bug 2369479 (CVE-2025-48938)

Summary: CVE-2025-48938 github.com/cli/go-gh/pkg/browser: github.com/cli/go-gh/v2/pkg/browser: GitHub CLI may execute arbitrary commands from compromised GitHub Enterprise Server
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the `Browser.Browse()` functionality of GitHub cli. This flaw allows an attacker who has control of a compromised GitHub Enterprise Server to execute arbitrary commands in the context of the cli user.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2369485, 2369482, 2369483, 2369484    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-30 19:01:20 UTC 
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.