CVE-2025-48938

Name of the Vulnerable Software and Affected Versions go-gh versions prior to 2.12.1

Description A security issue has been identified where an attacker-controlled GitHub Enterprise Server could execute arbitrary commands on a user's machine. This is achieved by replacing HTTP URLs provided by GitHub with local file paths for browsing. The Browser.Browse() function has been enhanced in version 2.12.1 to prevent opening or executing files on the filesystem without impacting HTTP URLs.

Recommendations For versions prior to 2.12.1, upgrade to version 2.12.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Browser.Browse() function until a patch is available. Avoid using the Browser.Browse() function with untrusted GitHub Enterprise Server URLs to minimize the risk of exploitation.