A serious security flaw has been identified in GitHub CLI, affecting versions prior to 2.62.0. The vulnerability, designated CVE-2024-32002, allows remote code execution (RCE) through malicious SSH commands when users interact with GitHub Codespaces. This flaw could pose a significant risk to developers, enabling attackers to execute arbitrary commands on a victim’s system. The issue stems from how the GitHub CLI handles SSH connection details, specifically when users connect to maliciously configured Codespace environments via commands like gh codespace ssh or gh codespace logs.
The exploitation of this vulnerability occurs when an attacker crafts a malicious devcontainer, which includes a compromised SSH server. The attacker can inject arbitrary SSH arguments into the connection details, enabling remote code execution when a victim connects to the malicious environment. For example, using a crafted username with a -oProxyCommand flag could trick the system into executing harmful commands, such as injecting a malicious script. The command executes silently, allowing attackers to carry out their actions without alerting the user.
If successfully exploited, this vulnerability could have severe consequences. Attackers could gain full control over a user’s system, install malware or backdoors, steal sensitive data, or move laterally within a network. This highlights the growing risks associated with cloud-based development environments, especially when dealing with untrusted repositories or custom devcontainer images. With the increasing reliance on remote development platforms like GitHub Codespaces, security in these tools has become even more critical.
To address this issue, GitHub has released a patch in version 2.62.0 of the CLI tool. Users are strongly advised to update to this version immediately to protect themselves from potential exploitation. In addition, it is recommended to exercise caution when using custom devcontainer images and to avoid connecting to Codespaces from untrusted repositories. By prioritizing security and employing better validation practices, both tool developers and users can help prevent similar vulnerabilities from affecting the broader developer ecosystem.
