{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T00:44:01.884","vulnerabilities":[{"cve":{"id":"CVE-2025-25204","sourceIdentifier":"security-advisories@github.com","published":"2025-02-14T17:15:19.140","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible."},{"lang":"es","value":"`gh` es la herramienta de línea de comandos oficial de GitHub. A partir de la versión 2.49.0 y antes de la versión 2.67.0, bajo ciertas condiciones, un error en la herramienta de línea de comandos Artifact Attestation de GitHub `gh attestation verified` hace que devuelva un estado de salida cero cuando no hay atestaciones presentes. Este comportamiento es incorrecto: cuando no hay atestaciones presentes, `gh attestation verified` debe devolver un código de estado de salida distinto de cero, lo que indica un error de verificación. Un atacante puede aprovechar esta falla para, por ejemplo, implementar artefactos maliciosos en cualquier sistema que use los códigos de salida de `gh attestation verified` para controlar las implementaciones. Se recomienda a los usuarios actualizar `gh` a la versión parcheada `v2.67.0` lo antes posible."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-390"}]}],"references":[{"url":"https://github.com/cli/cli/issues/10418","source":"security-advisories@github.com"},{"url":"https://github.com/cli/cli/pull/10421","source":"security-advisories@github.com"},{"url":"https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8","source":"security-advisories@github.com"}]}}]}