CVE-2024-54132

Publication date 4 December 2024

Last updated 4 February 2026

Ubuntu priority

Description

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gh	25.10 questing	Not affected
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Fixed 2.45.0-1ubuntu0.3+esm2
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not in release

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

john-breton

A patch was introduced in 2.46.0-3 (covering questing and up)

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gh	Upstream: 1136764

References

Related Ubuntu Security Notices (USN)

USN-8012-1
GitHub CLI vulnerabilities
4 February 2026