CVE-2025-48938 is a security vulnerability identified in the go-gh project, a set of Go modules designed to facilitate the creation of GitHub CLI extensions. The vulnerability exists in versions prior to 2.12.1 and is classified as a CWE-501: Trust Boundary Violation. Specifically, the issue arises when a user interacts with a GitHub Enterprise Server that is attacker-controlled. In this scenario, the server can manipulate HTTP URLs that the go-gh client expects to open in a browser by substituting them with local file paths. This manipulation can cause the client to execute arbitrary commands on the user's machine by opening or executing local files instead of safe HTTP URLs. The root cause is insufficient validation and sanitization of URLs before they are passed to the Browser.Browse() function. The fix introduced in version 2.12.1 enhances Browser.Browse() to strictly allow or disallow certain scenarios, preventing the execution or opening of local filesystem files while maintaining the ability to handle legitimate HTTP URLs. No workarounds exist other than upgrading to the patched version. The CVSS 4.0 score is 2.6, indicating a low severity, primarily because exploitation requires a privileged user context (PR:L), no user interaction (UI:N), and the attack vector is network-based (AV:N). The scope is high (S:H), meaning the vulnerability affects components beyond the vulnerable module, but the impact on confidentiality, integrity, and availability is none (VC:N, VI:N, VA:N). No known exploits are currently in the wild.

For European organizations, the impact of this vulnerability is relatively limited but non-negligible. Since go-gh is used to develop GitHub CLI extensions, it is primarily relevant to developers and DevOps teams who interact with GitHub Enterprise Servers. An attacker controlling a GitHub Enterprise Server could exploit this vulnerability to execute arbitrary commands on the developer's local machine, potentially leading to unauthorized code execution, data leakage, or further compromise of the developer's environment. This could undermine the integrity of the software development lifecycle, especially in organizations relying heavily on GitHub Enterprise for source code management. However, the low CVSS score and the requirement for a privileged user context reduce the likelihood of widespread impact. Still, organizations with sensitive development environments or those using customized GitHub Enterprise Servers should consider this a risk. The vulnerability could also be leveraged in targeted attacks against high-value development teams or critical infrastructure projects within Europe.

The primary and only effective mitigation is to upgrade all instances of go-gh to version 2.12.1 or later, where the Browser.Browse() function has been enhanced to prevent this attack vector. Organizations should audit their development environments to identify usage of go-gh modules and ensure timely patching. Additionally, organizations should enforce strict controls and monitoring on GitHub Enterprise Server configurations, limiting the ability of untrusted parties to influence URL content. Implementing network segmentation and access controls to restrict developer machines' exposure to untrusted GitHub Enterprise Servers can further reduce risk. Security teams should educate developers about the risks of interacting with untrusted or unknown GitHub Enterprise instances. Finally, integrating runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions can help detect anomalous command executions resulting from exploitation attempts.