CVE-2025-25204

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-25204

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-25204.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-25204

Aliases

Downstream

UBUNTU-CVE-2025-25204

openSUSE-SU-2025:14889-1

Related

Published

2025-02-14T16:38:29Z

Modified

2025-10-20T20:30:35.842597Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

`gh attestation verify` returns incorrect exit code during verification if no attestations are present

Details

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, gh attestation verify should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses gh attestation verify's exit codes to gatekeep deployments. Users are advised to update gh to patched version v2.67.0 as soon as possible.

Database specific

{
    "cwe_ids": [
        "CWE-390"
    ]
}

References

Affected packages

Git / github.com/cli/cli

Affected ranges

Type: GIT
Repo: https://github.com/cli/cli
Events: Introduced

f2d6a8ec5c6f56204f6f36339b813252f25a6f51

Fixed

6899fe21dd80873893dd1a3bf3bdd4d33b1b2338

Affected versions

v2.*

v2.49.0

v2.49.1

v2.49.2

v2.50.0

v2.51.0

v2.52.0

v2.53.0

v2.54.0

v2.55.0

v2.56.0

v2.57.0

v2.58.0

v2.59.0

v2.60.0

v2.60.1

v2.61.0

v2.62.0

v2.63.0

v2.63.1

v2.63.2

v2.64.0

v2.65.0

v2.66.0

v2.66.1