CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

December 4, 2024

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

References

github.com/advisories/GHSA-2m9h-r57g-45pj
github.com/cli/cli
github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932
github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
nvd.nist.gov/vuln/detail/CVE-2024-54132

Code Behaviors & Features

Detect and mitigate CVE-2024-54132 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →