GHSA-9CCR-R5HG-74GF

Vulnerability from github – Published: 2026-05-11 16:16 – Updated: 2026-05-14 20:38
VLAI?
Summary
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
Details

Summary

A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.

Details

Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a .git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.

The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.

Attack Scenario

An attacker can exploit this by:

  1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., vendor/malicious.git/ or a deeply nested subdirectory)
  2. Configuring core.fsmonitor (or similar keys) in that bare repository to execute a malicious command
  3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command

This can occur when: - The agent navigates into a subdirectory containing the buried bare repo - The agent runs git status, git diff, or other routine git commands - The agent uses tools like grep or glob that may trigger git operations in subdirectories

Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.

Impact

An attacker who can place a malicious bare repository inside a project — for example, through: - A pull request adding a directory that contains a bare repository - A compromised or malicious dependency that includes a bare repository - A cloned repository that already contains nested bare repositories

— could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.

Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.

Affected Versions

  • GitHub Copilot CLI versions prior to 1.0.42

Remediation and Mitigation

Fix

The fix sets safe.bareRepository=explicit via git's GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used.

User Actions

  1. Upgrade GitHub Copilot CLI to 1.0.43 or later.
  2. Exercise caution when working in repositories that contain nested bare git repositories.
  3. Review project directories for unexpected bare repositories, especially in vendor/, third_party/, or deeply nested subdirectories.
Severity ?
8.5 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.42"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@github/copilot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:16:06Z",
    "nvd_published_at": "2026-05-13T16:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set `core.fsmonitor` or other executable config keys to run arbitrary commands without user awareness or approval.\n\n## Details\n\nGit supports bare repositories \u2014 repositories without a working tree \u2014 which can be discovered automatically when git traverses the directory hierarchy looking for a `.git` directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.\n\nThe vulnerability arises because git\u0027s `core.fsmonitor` config key (and 15+ similar keys such as `core.hookspath`, `diff.external`, `merge.tool`, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like `status`, `diff`, or `rev-parse`.\n\n### Attack Scenario\n\nAn attacker can exploit this by:\n\n1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., `vendor/malicious.git/` or a deeply nested subdirectory)\n2. Configuring `core.fsmonitor` (or similar keys) in that bare repository to execute a malicious command\n3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker\u0027s command\n\nThis can occur when:\n- The agent navigates into a subdirectory containing the buried bare repo\n- The agent runs `git status`, `git diff`, or other routine git commands\n- The agent uses tools like `grep` or `glob` that may trigger git operations in subdirectories\n\nPrior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.\n\n## Impact\n\nAn attacker who can place a malicious bare repository inside a project \u2014 for example, through:\n- A pull request adding a directory that contains a bare repository\n- A compromised or malicious dependency that includes a bare repository\n- A cloned repository that already contains nested bare repositories\n\n\u2014 could achieve arbitrary code execution on the user\u0027s workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.\n\nSuccessful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.\n\n## Affected Versions\n\n- GitHub Copilot CLI versions prior to 1.0.42\n\n## Remediation and Mitigation\n\n### Fix\n\nThe fix sets `safe.bareRepository=explicit` via git\u0027s `GIT_CONFIG_COUNT` / `GIT_CONFIG_KEY_*` / `GIT_CONFIG_VALUE_*` environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal \u2014 only explicitly allowlisted bare repositories will be used.\n\n### User Actions\n\n1. **Upgrade** GitHub Copilot CLI to **1.0.43** or later.\n2. **Exercise caution** when working in repositories that contain nested bare git repositories.\n3. **Review** project directories for unexpected bare repositories, especially in `vendor/`, `third_party/`, or deeply nested subdirectories.",
  "id": "GHSA-9ccr-r5hg-74gf",
  "modified": "2026-05-14T20:38:48Z",
  "published": "2026-05-11T16:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/copilot-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.