CVE-2024-53858

Name of the Vulnerable Software and Affected Versions: GitHub CLI versions prior to 2.63.0

Description: A security issue has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This issue stems from several gh commands, including gh repo clone, gh repo fork, and gh pr checkout, which invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered. Prior to version 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts, and tokens are sourced from environment variables GITHUB ENTERPRISE TOKEN, GH ENTERPRISE TOKEN, and GITHUB TOKEN when the CODESPACES environment variable is set. The result is git sending authentication tokens when cloning submodules. Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources.

Recommendations: Upgrade to version 2.63.0 or later. Revoke authentication tokens used with the GitHub CLI, including personal access tokens and GitHub CLI OAuth app authorizations. Review your personal security log and any relevant audit logs for actions associated with your account or enterprise.