CVE-2025-48938: 
Wolfi vulnerability analysis and mitigation

go-gh, a collection of Go modules for authoring GitHub CLI extensions, has been identified with a security vulnerability (CVE-2025-48938) in versions prior to 2.12.1. The vulnerability was discovered and disclosed on May 29, 2025, affecting the Browser capability in github.com/cli/go-gh/v2/pkg/browser. This vulnerability could allow an attacker-controlled GitHub Enterprise Server to execute arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing (GitHub Advisory).

The vulnerability stems from Browser.Browse() attempting to open provided URLs using OS-specific approaches without proper scheme validation. Prior to version 2.12.1, the function would process URLs regardless of their scheme, allowing potential manipulation of API responses to include malicious local executable paths instead of legitimate HTTP URLs. The vulnerability has been assigned a CVSS v4.0 score of 2.6 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U. The issue is classified under CWE-501 (Trust Boundary Violation) (NVD).

If successfully exploited, this vulnerability could allow attackers controlling a GitHub Enterprise Server to execute arbitrary commands on users' machines. The impact is particularly significant for users utilizing the GitHub CLI and CLI extensions for viewing repositories, issues, pull requests, or working with GitHub Codespaces through Visual Studio Code (GitHub Advisory).

The vulnerability has been patched in version 2.12.1 of go-gh. The updated Browser.Browse() function now implements strict URL scheme validation: it supports http://, https://, vscode://, and vscode-insiders:// protocols while explicitly blocking file:// protocol, URLs matching files or directories on the filesystem, and URLs matching executables in the user's path. Users are strongly advised to upgrade to version 2.12.1 or later. No alternative workarounds are available (GitHub Advisory).