{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25204", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.401Z", "datePublished": "2025-02-14T16:38:29.038Z", "dateUpdated": "2025-03-03T19:13:28.888Z"}, "containers": {"cna": {"title": "`gh attestation verify` returns incorrect exit code during verification if no attestations are present", "problemTypes": [{"descriptions": [{"cweId": "CWE-390", "lang": "en", "description": "CWE-390: Detection of Error Condition Without Action", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8"}, {"name": "https://github.com/cli/cli/issues/10418", "tags": ["x_refsource_MISC"], "url": "https://github.com/cli/cli/issues/10418"}, {"name": "https://github.com/cli/cli/pull/10421", "tags": ["x_refsource_MISC"], "url": "https://github.com/cli/cli/pull/10421"}], "affected": [{"vendor": "cli", "product": "cli", "versions": [{"version": ">= 2.49.0, < 2.67.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-14T16:38:29.038Z"}, "descriptions": [{"lang": "en", "value": "`gh` is GitHub\u2019s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible."}], "source": {"advisory": "GHSA-fgw4-v983-mgp8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-19T15:29:05.799010Z", "id": "CVE-2025-25204", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T19:13:28.888Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25204", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.401Z", "datePublished": "2025-02-14T16:38:29.038Z", "dateUpdated": "2025-03-03T19:13:28.888Z"}, "containers": {"cna": {"title": "`gh attestation verify` returns incorrect exit code during verification if no attestations are present", "problemTypes": [{"descriptions": [{"cweId": "CWE-390", "lang": "en", "description": "CWE-390: Detection of Error Condition Without Action", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8"}, {"name": "https://github.com/cli/cli/issues/10418", "tags": ["x_refsource_MISC"], "url": "https://github.com/cli/cli/issues/10418"}, {"name": "https://github.com/cli/cli/pull/10421", "tags": ["x_refsource_MISC"], "url": "https://github.com/cli/cli/pull/10421"}], "affected": [{"vendor": "cli", "product": "cli", "versions": [{"version": ">= 2.49.0, < 2.67.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-14T16:38:29.038Z"}, "descriptions": [{"lang": "en", "value": "`gh` is GitHub\u2019s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible."}], "source": {"advisory": "GHSA-fgw4-v983-mgp8", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25204", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-19T15:29:05.799010Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T19:13:23.681Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "`gh` is GitHub\u2019s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible."}, {"lang": "es", "value": "`gh` es la herramienta de l\u00ednea de comandos oficial de GitHub. A partir de la versi\u00f3n 2.49.0 y antes de la versi\u00f3n 2.67.0, bajo ciertas condiciones, un error en la herramienta de l\u00ednea de comandos Artifact Attestation de GitHub `gh attestation verified` hace que devuelva un estado de salida cero cuando no hay atestaciones presentes. Este comportamiento es incorrecto: cuando no hay atestaciones presentes, `gh attestation verified` debe devolver un c\u00f3digo de estado de salida distinto de cero, lo que indica un error de verificaci\u00f3n. Un atacante puede aprovechar esta falla para, por ejemplo, implementar artefactos maliciosos en cualquier sistema que use los c\u00f3digos de salida de `gh attestation verified` para controlar las implementaciones. Se recomienda a los usuarios actualizar `gh` a la versi\u00f3n parcheada `v2.67.0` lo antes posible."}], "id": "CVE-2025-25204", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-14T17:15:19.140", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/cli/cli/issues/10418"}, {"source": "security-advisories@github.com", "url": "https://github.com/cli/cli/pull/10421"}, {"source": "security-advisories@github.com", "url": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-390"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-13T11:07:08.146644+00:00", "updated": "2025-07-13T11:07:08.146697+00:00", "vendors": ["github", "github$PRODUCT$cli"]}