Parablack

**Name of the Vulnerable Software and Affected Versions** GitHub CLI versions prior to 2.63.1 **Description** A security issue has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through `gh run download`. This issue stems from a GitHub Actions workflow artifact named `..` when downloaded using `gh run download`. The artifact name and `--dir` flag are used to determine the artifact’s download path. When the artifact is named `..`, the resulting files within the artifact are extracted exactly 1 directory higher than the specified `--dir` flag value. **Recommendations** Upgrade `gh` to `2.63.1` to resolve the issue. As a temporary workaround, consider implementing additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as `..`, to prevent path traversal risks. Avoid using the `--dir` flag with untrusted artifact names until the issue is resolved.