PT-2026-39901 · Npm · Github Copilot
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-45033
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set
core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.Details
Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a
.git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.The vulnerability arises because git's
core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.Attack Scenario
An attacker can exploit this by:
- Creating a bare git repository nested inside a seemingly normal project directory (e.g.,
vendor/malicious.git/or a deeply nested subdirectory) - Configuring
core.fsmonitor(or similar keys) in that bare repository to execute a malicious command - When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command
This can occur when:
- The agent navigates into a subdirectory containing the buried bare repo
- The agent runs
git status,git diff, or other routine git commands - The agent uses tools like
greporglobthat may trigger git operations in subdirectories
Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.
Impact
An attacker who can place a malicious bare repository inside a project — for example, through:
- A pull request adding a directory that contains a bare repository
- A compromised or malicious dependency that includes a bare repository
- A cloned repository that already contains nested bare repositories
— could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.
Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.
Affected Versions
- GitHub Copilot CLI versions prior to 1.0.42
Remediation and Mitigation
Fix
The fix sets
safe.bareRepository=explicit via git's GIT CONFIG COUNT / GIT CONFIG KEY * / GIT CONFIG VALUE * environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used.User Actions
- Upgrade GitHub Copilot CLI to 1.0.43 or later.
- Exercise caution when working in repositories that contain nested bare git repositories.
- Review project directories for unexpected bare repositories, especially in
vendor/,third party/, or deeply nested subdirectories.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Copilot