Advisories for Golang/Github.com/Cli/Go-Gh/V2 package

2025

Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server

A security vulnerability has been identified in go-gh where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.

2024

`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.