{"id":"AZL-62282","summary":"CVE-2025-48938 affecting package gh for versions less than 2.62.0-9","details":"go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.","modified":"2026-04-21T04:31:58.960844Z","published":"2025-05-30T19:15:29Z","upstream":["CVE-2025-48938"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48938"}],"affected":[{"package":{"name":"gh","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/gh"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.62.0-9"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-62282.json"}}],"schema_version":"1.7.5"}