CVE-2024-54132 - Path Traversal Vulnerability in GitHub CLI’s “gh run download” Command

GitHub CLI, the official command line tool for GitHub, empowers developers to manage repositories, workflows, and more directly from the terminal. However, with great power comes great responsibility—and sometimes, dangerous bugs.

In June 2024, CVE-2024-54132 was made public, revealing a path traversal vulnerability in the gh run download command. If exploited, attackers could trick users into overwriting or creating files outside the intended directory simply by downloading a specially crafted GitHub Actions workflow artifact. This post exclusively breaks down the vulnerability, shows how it works with simple code snippets, details the exploitation process, and offers remediation advice.

What’s the Problem?

CVE-2024-54132 is about a directory traversal bug in the gh CLI tool for downloading workflow artifacts. Crafty attackers can name an artifact .. (dot dot) and, when a user downloads it, wind up writing the artifact’s contents *one directory above* where the user expected.

Affected command:

gh run download <run-id> --name ".." --dir ./safe-download/

Instead of saving files inside safe-download/, files end up in its parent directory, possibly overwriting critical files or putting malicious code where it shouldn’t be.

How Does the Exploit Work?

The issue centers on how gh resolves the artifact’s name and the --dir flag. Here’s the vulnerable logic, simplified:

Vulnerable Extraction Process (Pseudocode)

// This is a conceptual snippet to show the logic, not actual GH CLI code
downloadPath := path.Join(userProvidedDir, artifactName)
unzipFilesInto(downloadPath)

If artifactName is set to "..", then

- downloadPath becomes ./safe-download/..
- This points to the *parent* directory of safe-download/, not inside it.

When files from the artifact are extracted to this location, they escape the intended safe folder.

Name the artifact ..

- Add any files you want to land *one directory up* from the target (could be ~/.bashrc, index.html, etc.)

`shell

gh run download 123456789 --name ".." --dir ./safe-download

`

- Expects files in ./safe-download/, but files are extracted into the parent folder.

Proof-of-Concept

# Attacker's workflow creates an artifact named '..' containing a file called "malware.sh"
# Victim runs:
gh run download 123456789 --name ".." --dir ./safe-download

# Instead of ./safe-download/malware.sh, the file ends up as ./malware.sh

File Overwrite: Could overwrite user files (e.g., README.md, config files).

- Arbitrary File Write: Possible escalation if artifacts contain malicious binaries, scripts, or symlinks.

Fix Status

Patched in version: 2.63.1

Path validation ensures files *cannot* escape the chosen directory.

Update now:

gh version
gh upgrade

References

- GitHub Security Advisory GHSA-XXXX-XXXX-XXXX
- CVE Record: CVE-2024-54132
- GitHub CLI v2.63.1 Release Notes
- Official GitHub CLI Documentation

Conclusion

CVE-2024-54132 is an example of subtle bugs that can have dangerous consequences. Even trusted tools like GitHub CLI can make mistakes with path handling, allowing attacks that seem obvious in hindsight. Awareness and timely updates are your best defense.

Always keep your tools up-to-date, and stay tuned for more exclusive security insights!


*Written for developers and DevOps: simple, practical advice for secure automation.*

Timeline

Published on: 12/04/2024 16:15:26 UTC