GitHub CLI Authorization Header Vulnerability in API Requests to TUF Repository Mirrors

A vulnerability exists in GitHub CLI (gh) versions prior to 2.93.0, where the tool incorrectly includes authorization headers in API requests to TUF repository mirrors. This issue arises in commands such as 'gh attestation', 'gh release verify', and 'gh release verify-asset'. The vulnerability is rooted in a shared HTTP client that automatically attaches authentication tokens to outgoing requests. However, the client lacks proper host detection, leading to incorrect token attribution. Specifically, requests to 'tuf-repo.github.com' are misidentified as requests to 'github.com', resulting in the unintentional inclusion of the user's GitHub token. Similarly, for hosts that do not correspond to GitHub.com or a known GitHub Enterprise Server instance, the client may revert to using the 'GH_ENTERPRISE_TOKEN' if it is set. This flaw allows for the unauthorized transmission of authentication tokens to external hosts during normal CLI operations.

Impact

This vulnerability could lead to the unauthorized transmission of GitHub authentication tokens or GitHub Enterprise tokens to external hosts, potentially allowing those hosts to access resources or perform actions on behalf of the user, depending on the permissions associated with the token.

Remediation

Users are advised to revoke any authentication tokens used with GitHub CLI, upgrade to version 2.93.0, and review their personal security log and any relevant audit logs for actions associated with their account or enterprise.