一、 漏洞 CVE-2025-25204 基础信息
漏洞标题
当没有证明文件时,`gh attestation verify` 在验证过程中返回错误的退出代码
来源:AIGC 神龙大模型
漏洞描述信息
`gh`是GitHub的官方命令行工具。在版本2.49.0到2.67.0之间,GitHub的Artifact Attestation命令行工具`gh attestation verify`存在一个漏洞,当不存在任何认证信息时,该工具会返回一个零退出状态。这种行为是不正确的:当没有认证信息时,`gh attestation verify`应该返回一个非零退出状态码,以表示验证失败。攻击者可以利用这一漏洞,例如在任何使用`gh attestation verify`的退出码来控制部署的系统中部署恶意工件。建议用户尽快将`gh`更新到已修复的版本`v2.67.0`。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
来源:AIGC 神龙大模型
漏洞类别
输入验证不恰当
来源:AIGC 神龙大模型
漏洞标题
`gh attestation verify` returns incorrect exit code during verification if no attestations are present
来源:美国国家漏洞数据库 NVD
漏洞描述信息
`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
未有动作错误条件的检测
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2025-25204 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-25204 的情报信息

  • 标题: Exit with error if no matching predicate type exists by kommendorkapten · Pull Request #10421 · cli/cli · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    Exit with error if no matching predicate type exists by kommendorkapten · Pull Request #10421 · cli/cli · GitHub

  • 标题: gh attestation verify always returns a 0 exit code · Issue #10418 · cli/cli -- 🔗来源链接

    标签: x_refsource_MISC

    gh attestation verify always returns a 0 exit code · Issue #10418 · cli/cli

  • 标题: `gh attestation verify` returns incorrect exit code during verification when predicate types mismatch · Advisory · cli/cli · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    `gh attestation verify` returns incorrect exit code during verification when predicate types mismatch · Advisory · cli/cli · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-25204