GitHub Copilot CLI Arbitrary Code Execution Vulnerability via Nested Bare Git Repositories

A vulnerability in GitHub Copilot CLI prior to version 1.0.43 allows for arbitrary code execution. This issue arises when a malicious bare git repository is nested inside a project directory. Exploitation occurs through git's automatic discovery of bare repositories during directory traversal, enabling an attacker to use executable configuration keys to run commands without user knowledge or consent. The vulnerability is present in versions of GitHub Copilot CLI through 1.0.42.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the user's workstation, with potential consequences including data exfiltration, credential theft, file modification, or further system compromise.

Reproduction

To reproduce this vulnerability, create a bare git repository and nest it inside a normal project directory. Configure the repository to execute a malicious command using the 'core.fsmonitor' or similar executable config keys. When GitHub Copilot CLI performs git operations that traverse into the directory containing the bare repository, git will auto-discover it, read the configuration, and execute the command, thereby exploiting the vulnerability.

Remediation

Users should upgrade GitHub Copilot CLI to version 1.0.43 or later. It is also advisable to review project directories for unexpected bare repositories, particularly in 'vendor' or 'third_party' directories, or deeply nested subdirectories.