cvedb.io
CVE-2025-48938
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2025-05-30T19:15:29.980 · Last modified 2026-06-17T09:30:31.053

Summary

go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

Affected products

cli — go-gh

Does this affect you?

Add your gear to cvedb and we'll alert you only when cli ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.