GitHub Copilot CLI CVE-2026-29783
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.
The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.
The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
AnalysisAI
Arbitrary code execution in GitHub Copilot CLI versions <=0.0.422 allows attackers to bypass the agent's shell command safety classifier using bash parameter expansion operators (${var@P}, ${var=value}, ${!var}, and nested $(cmd)/<(cmd)). Attackers influencing agent inputs via prompt injection through repository files, MCP server responses, or user instructions can execute hidden commands disguised as read-only operations on the user's workstation. A detailed proof-of-concept is published in the GHSA advisory; EPSS is low (0.10%, 28th percentile) and the issue is not in CISA KEV, so no public exploit identified at time of analysis beyond the vendor-published PoC.
Technical ContextAI
GitHub Copilot CLI is an npm-distributed package (@github/copilot) that exposes an AI coding agent in the terminal with a shell tool gated by a safety classifier that labels commands as read-only or write-capable. The vulnerability (CWE-78, OS Command Injection) abuses bash's parameter expansion grammar: the @P prompt transformation re-evaluates a variable's contents as if it were a PS1 prompt (which performs command substitution), assignment forms ${var=value}/${var:=value} let an attacker stage payloads across multiple expansions, ${!var} performs indirect dereferencing, and nested $(cmd)/<(cmd) within default-value expansions trigger subshell execution. The classifier inspected the outer command (e.g., echo) but did not recursively analyze parameter expansion side effects, so a command like 'echo ${a="$"}${b="$a(touch /tmp/pwned)"}${b@P}' parsed as a safe echo while actually executing the embedded touch.
RemediationAI
Vendor-released patch: upgrade @github/copilot to 0.0.423 or later (npm install -g @github/copilot@0.0.423), per the release notes at https://github.com/github/copilot-cli/releases/tag/v0.0.423 and advisory GHSA-g8r9-g2v8-jv6f. The 0.0.423 release adds explicit user prompting and guardrails for shell commands containing potentially dangerous expansion or substitution patterns. If immediate upgrade is not possible, compensating controls include: running Copilot CLI only inside an ephemeral container or sandbox so an injected command cannot reach the host workstation (trade-off: complicates local file edits and persistent state); avoiding pointing the agent at untrusted repositories, MCP servers, or pasted instructions until upgraded (trade-off: blocks legitimate exploratory use); and disabling or vetting third-party MCP servers configured for the CLI (trade-off: loses MCP-provided functionality). Generic shell-allowlisting at the OS level is not a reliable mitigation because the attack hides behind ostensibly safe utilities like echo.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-g8r9-g2v8-jv6f