CVE-2025-25204

Name of the Vulnerable Software and Affected Versions: gh versions 2.49.0 through 2.66.x

Description: A bug in GitHub's Artifact Attestation CLI tool, gh attestation verify, causes it to return a zero exit status when no attestations are present, under certain conditions. This behavior is incorrect, as it should return a non-zero exit status code to signal verification failure. An attacker can abuse this flaw to deploy malicious artifacts in any system that uses gh attestation verify's exit codes to gatekeep deployments.

Recommendations: For gh versions 2.49.0 through 2.66.x, update to version v2.67.0 as soon as possible. As a temporary workaround, consider verifying the output of gh attestation verify beyond just the exit code to ensure that the attestation was successfully verified.