CVE-2025-48938
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
Description
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
How to fix CVE-2025-48938
To remediate CVE-2025-48938, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 2.12.1 or later
- —upgrade to 2.12.1 or later
Is CVE-2025-48938 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0
- from 0
- from 0, < 2.12.1
- from 0, < 2.12.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |