medium
6.5
CWE
200
Advisory Published
Advisory Published
Updated

CVE-2024-53859: go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

First published: Wed Nov 27 2024(Updated: )

### Summary A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. ### Details `go-gh` sources authentication tokens from different environment variables depending on the host involved: - `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com - `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server Prior to `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when [within a codespace](https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77). In `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. ### Impact Successful exploitation could send authentication token to an unintended host. ### Remediation and mitigation 1. Upgrade `go-gh` to `2.11.1` 2. Advise extension users to regenerate authentication tokens: - [Personal access tokens](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) - [GitHub CLI OAuth app](https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps) 3. Advise extension users to review their personal [security log](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log) and any relevant [audit logs](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token) for actions associated with their account or enterprise

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/cli/go-gh<2.11.1
go/github.com/cli/go-gh/v2<=2.11.0
2.11.1
debian/golang-github-cli-go-gh-v2<=2.6.0-2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-53859?

    CVE-2024-53859 has a high severity due to the potential for leaking sensitive authentication tokens.

  • How do I fix CVE-2024-53859?

    To fix CVE-2024-53859, update the go-gh package to version 2.11.1 or later.

  • What systems are affected by CVE-2024-53859?

    CVE-2024-53859 affects go-gh versions up to 2.11.0, as well as all versions prior to 2.11.1.

  • What happens if I don't address CVE-2024-53859?

    Not addressing CVE-2024-53859 may expose your authentication tokens to unauthorized access from non-GitHub hosts.

  • Is CVE-2024-53859 specific to GitHub?

    Yes, CVE-2024-53859 is specifically related to authentication token leaks involving GitHub hosts within codespaces.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203