CVE-2025-25204: GitHub's `gh attestation verify` Bug Allows Unauthorized Deployment of Malicious Artifacts

GitHub's official command line tool, gh, is encountered a bug in its Artifact Attestation CLI tool, named gh attestation verify, has been found. This vulnerability has been assigned the CVE number CVE-2025-25204. The affected versions are 2.49. to 2.67.. Under specific conditions, the CLI tool will incorrectly return a zero exit status even when no attestations are present. This can potentially lead to an attacker successfully deploying malicious artifacts in any system that uses gh attestation verify to control deployments.

Developers should immediately update their installations of gh to version v2.67.. Doing so will ensure that the patched version, which fixes the bug present in earlier versions, will work correctly and maintain the security of your repository and build systems.

Cause of the Vulnerability

The CLI command "gh attestation verify" is designed to check the artifact attestation present in a GitHub Actions pipeline, verifying its origin and integrity. However, a bug has been identified in which this command returns a zero exit status when no attestations are available. In this case, the command should have returned a non-zero exit code to indicate verification failure.

The flawed code snippet is presented below

def verify_attestation():
    attestations = fetch_repository_attestations()
    if not attestations:
        return  # This should return a non-zero exit status code
    # ...perform attestation verification checks
    return 

Exploit Details

An attacker could exploit this vulnerability by creating a malicious artifact and deploying it as part of a GitHub Actions pipeline. Since the gh attestation verify command would incorrectly return a zero exit status even when no attestations are present, a system relying on this exit status to verify artifact integrity would bypass the check, allowing the attacker to deploy the malicious artifact.

Solution

GitHub has patched this issue in version v2.67. of the gh tool. Users are advised to update their installations immediately to this version or greater to mitigate the vulnerability.

# To update the gh tool, run the following command:
$ gh update

References

- GitHub Security Advisory for CVE-2025-25204
- gh Command Line Tool Documentation
- GitHub Security

Timeline

Published on: 02/14/2025 17:15:19 UTC