CVE-2025-48938

Name	CVE-2025-48938
Description	go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1107083, 1107084

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-cli-go-gh (PTS)	bookworm	1.0.0-1	vulnerable
	sid, trixie	1.2.1-2	vulnerable
golang-github-cli-go-gh-v2 (PTS)	sid, trixie	2.6.0-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-cli-go-gh	source	(unstable)	(unfixed)			1107084
golang-github-cli-go-gh-v2	source	(unstable)	(unfixed)			1107083

Notes

https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563
Fixed by: https://github.com/cli/go-gh/commit/df956a6624bc1210543873062ce0905357be1299 (v2.12.1)
Fixed by: https://github.com/cli/go-gh/commit/0f8a22fe3a4b3d418268dfef57bcee15330f5b15 (v2.12.1)
Fixed by: https://github.com/cli/go-gh/commit/258949bd372e4689d3203cbcef8734062ff59a97 (v2.12.1)
Fxied by: https://github.com/cli/go-gh/commit/055ff2108e3edff35996a8efa3afa0a9e64649f1 (v2.12.1)
Fixed by: https://github.com/cli/go-gh/commit/56c6f10bd535e14098f5a21232f931463c808a77 (v2.12.1)
Fixed by: https://github.com/cli/go-gh/commit/1ecf6c49ecb0629c6538d88970b669bf4f989ccc (v2.12.1)