FKIE_CVE-2026-29783

Vulnerability from fkie_nvd - Published: 2026-03-06 17:16 - Updated: 2026-03-09 13:35
Severity ?
7.5 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
References
security-advisories@github.comhttps://github.com/github/copilot-cli/releases/tag/v0.0.423
security-advisories@github.comhttps://github.com/github/copilot-cli/security/advisories/GHSA-g8r9-g2v8-jv6f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as \"read-only.\" This has been patched in version 0.0.423. \n\nThe vulnerability stems from how the CLI\u0027s shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.\n\nThe specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or \u003c(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user\u0027s workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise."
    },
    {
      "lang": "es",
      "value": "La herramienta de shell en las versiones de GitHub Copilot CLI anteriores e incluyendo la 0.0.422 puede permitir la ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de patrones de expansi\u00f3n de par\u00e1metros de bash manipulados. Un atacante que puede influir en los comandos ejecutados por el agente (por ejemplo, a trav\u00e9s de inyecci\u00f3n de prompt mediante archivos de repositorio, respuestas del servidor MCP o instrucciones del usuario) puede explotar los operadores de transformaci\u00f3n de par\u00e1metros de bash para ejecutar comandos ocultos, eludiendo la evaluaci\u00f3n de seguridad que clasifica los comandos como \u0027solo lectura\u0027. Esto ha sido parcheado en la versi\u00f3n 0.0.423.\n\nLa vulnerabilidad se deriva de c\u00f3mo la evaluaci\u00f3n de seguridad de shell de la CLI eval\u00faa los comandos antes de la ejecuci\u00f3n. La capa de seguridad analiza y clasifica los comandos de shell como de solo lectura (seguros) o con capacidad de escritura (requiere aprobaci\u00f3n del usuario). Sin embargo, varias caracter\u00edsticas de expansi\u00f3n de par\u00e1metros de bash pueden incrustar c\u00f3digo ejecutable dentro de argumentos de comandos que de otro modo ser\u00edan de solo lectura, haciendo que parezcan seguros mientras que en realidad realizan operaciones arbitrarias.\n\nLos patrones peligrosos espec\u00edficos son ${var@P}, ${var=value} / ${var:=value}, ${!var}, y $(cmd) o \u0026lt;(cmd) anidados dentro de expansiones ${...}. Un atacante que puede influir en el texto de comando enviado a la herramienta de shell - por ejemplo, a trav\u00e9s de inyecci\u00f3n de prompt mediante contenido de repositorio malicioso (archivos README, comentarios de c\u00f3digo, cuerpos de incidencias), respuestas de servidor MCP comprometidas o maliciosas, o instrucciones de usuario manipuladas que contengan comandos ofuscados - podr\u00eda lograr ejecuci\u00f3n de c\u00f3digo arbitrario en la estaci\u00f3n de trabajo del usuario. Esto es posible incluso en modos de permiso que requieren la aprobaci\u00f3n del usuario para operaciones de escritura, ya que los comandos pueden parecer usar solo utilidades de solo lectura para finalmente desencadenar operaciones de escritura. La explotaci\u00f3n exitosa podr\u00eda conducir a la exfiltraci\u00f3n de datos, modificaci\u00f3n de archivos o un compromiso adicional del sistema."
    }
  ],
  "id": "CVE-2026-29783",
  "lastModified": "2026-03-09T13:35:34.633",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T17:16:35.487",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/copilot-cli/releases/tag/v0.0.423"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-g8r9-g2v8-jv6f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.