Vulnerability DatabaseCVE-2025-25204
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-25204
February 14, 2025
"gh" is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool "gh attestation verify" causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, "gh attestation verify" should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses "gh attestation verify"'s exit codes to gatekeep deployments. Users are advised to update "gh" to patched version "v2.67.0" as soon as possible.
Affected Packages
github.com/cli/cli/v2 (GO):
Affected version(s) >=v2.49.0 <v2.67.0
Fix Suggestion:
Update to version v2.67.0
Related Resources (5)
https://github.com/cli/cli
https://github.com/cli/cli/issues/10418
https://nvd.nist.gov/vuln/detail/CVE-2025-25204
https://github.com/cli/cli/pull/10421
https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8
Do you need more information?
Contact Us
CVSS v4
Base Score:
7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Detection of Error Condition Without Action
CWE-390
EPSS
Base Score:
0.14