CVE-2025-25204

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.

`gh attestation verify` returns incorrect exit code during verification if no attestations are present in github.com/cli/cli

### Summary A bug in GitHub's Artifact Attestation CLI tool, `gh attestation verify`, may return an incorrect zero exit status when no matching attestations are found for the specified `--predicate-type <value>` or the default `https://slsa.dev/provenance/v1` if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure. Users are advised to update `gh` to version `v2.67.0` as soon as possible. Initial report: https://github.com/cli/cli/issues/10418 Fix: https://github.com/cli/cli/pull/10421 ### Details The gh attestation verify command fetches, loads, and attempts to verify attestations associated with a given artifact for a specified predicate type. If an attestation is found, but the predicate type does not match the one specified in the `gh attestation verify` command, the verification fails, but the program exits early. Due to a re-used uninitialized error variable, when no matching attestations are found, the relevant function returns `nil` instead of an error, causing the program to exit with a status code of `0`, which incorrectly suggests successful verification. ### PoC Run `gh attestation verify` with local attestations using the `--bundle` flag and specify a predicate type with `--predicate-type` that you know will not match any of the attestations the command will attempt to verify. Confirm that the command exits with a zero status code. ### Impact Users who rely exclusively on the exit status code of `gh attestation verify` may incorrectly verify an attestation when the attestation's predicate type does not match the specified predicate type in the command.

`gh` es la herramienta de línea de comandos oficial de GitHub. A partir de la versión 2.49.0 y antes de la versión 2.67.0, bajo ciertas condiciones, un error en la herramienta de línea de comandos Artifact Attestation de GitHub `gh attestation verified` hace que devuelva un estado de salida cero cuando no hay atestaciones presentes. Este comportamiento es incorrecto: cuando no hay atestaciones presentes, `gh attestation verified` debe devolver un código de estado de salida distinto de cero, lo que indica un error de verificación. Un atacante puede aprovechar esta falla para, por ejemplo, implementar artefactos maliciosos en cualquier sistema que use los códigos de salida de `gh attestation verified` para controlar las implementaciones. Se recomienda a los usuarios actualizar `gh` a la versión parcheada `v2.67.0` lo antes posible.