Vulnerability DatabaseCVE-2025-48938
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-48938
May 30, 2025
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In "2.12.1", "Browser.Browse()" has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
Affected Packages
https://github.com/cli/go-gh.git (GITHUB):
Affected version(s) >=v0.0.1 <v2.12.1
Fix Suggestion:
Update to version v2.12.1
Related ResourcesĀ (5)
https://nvd.nist.gov/vuln/detail/CVE-2025-48938
https://github.com/cli/go-gh/commit/a08820a13f257d6c5b4cb86d37db559ec6d14577
https://github.com/cli/go-gh
https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563
https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Trust Boundary Violation
CWE-501
EPSS
Base Score:
0.14