CVE-2024-53859

Name of the Vulnerable Software and Affected Versions: go-gh versions prior to 2.11.1

Description: A security issue has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from different environment variables depending on the host involved: GITHUB TOKEN, GH TOKEN for GitHub.com and ghe.com, and GITHUB ENTERPRISE TOKEN, GH ENTERPRISE TOKEN for GitHub Enterprise Server. Prior to version 2.11.1, auth.TokenForHost could source a token from the GITHUB TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. Successful exploitation could send authentication tokens to an unintended host.

Recommendations: Upgrade go-gh to version 2.11.1. Regenerate authentication tokens, including personal access tokens and GitHub CLI OAuth app tokens. Review personal security logs and any relevant audit logs for actions associated with the account or enterprise.