{"id":"AZL-56885","summary":"CVE-2025-25204 affecting package gh for versions less than 2.62.0-6","details":"`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.","modified":"2026-04-01T05:18:59.947813Z","published":"2025-02-14T17:15:19Z","upstream":["CVE-2025-25204"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25204"}],"affected":[{"package":{"name":"gh","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/gh"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.62.0-6"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-56885.json"}}],"schema_version":"1.7.5"}