Home > Vulnerability Database > CVE-2025-25204

Mend.io Vulnerability Database

CVE-2025-25204

Good to know:

Date: February 14, 2025

"gh" is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool "gh attestation verify" causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, "gh attestation verify" should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses "gh attestation verify"'s exit codes to gatekeep deployments. Users are advised to update "gh" to patched version "v2.67.0" as soon as possible.

Severity Score

6.3

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25204

Url: https://github.com/cli/cli

Url: https://github.com/cli/cli/pull/10421

Url: https://github.com/cli/cli/issues/10418

Url: https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8

Url: https://www.mend.io/vulnerability-database/CVE-2025-25204

Severity Score

6.3

Weakness Type (CWE)

Detection of Error Condition Without Action

CWE-390

Top Fix

Upgrade Version

Upgrade to version github.com/cli/cli/v2 - v2.67.0

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25204

Good to know:

Date: February 14, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?