CVE-2025-25204

Publication date 14 February 2025

Last updated 3 February 2026

Ubuntu priority

Cvss 3 Severity Score

Description

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gh	25.10 questing	Not affected
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not in release

Notes

allenpthuang

As per the GitHub Advisory, this issue impacts v2.49.0 and later.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gh	Upstream: https://github.com/cli/cli/pull/10421

Severity score breakdown

Parameter	Value
Base score	6.3 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Changed
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N