CVE-2025-25204

MEDIUM6.3EPSS 0.21%

`gh attestation verify` returns incorrect exit code during verification if no attestations are present

Published: 2/14/2025Modified: 2/4/2026

Also known as:GHSA-fgw4-v983-mgp8CGA-rr9m-4h8x-cwqfGO-2025-3467

Description

### Summary A bug in GitHub's Artifact Attestation CLI tool, `gh attestation verify`, may return an incorrect zero exit status when no matching attestations are found for the specified `--predicate-type <value>` or the default `https://slsa.dev/provenance/v1` if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure. Users are advised to update `gh` to version `v2.67.0` as soon as possible. Initial report: https://github.com/cli/cli/issues/10418 Fix: https://github.com/cli/cli/pull/10421 ### Details The gh attestation verify command fetches, loads, and attempts to verify attestations associated with a given artifact for a specified predicate type. If an attestation is found, but the predicate type does not match the one specified in the `gh attestation verify` command, the verification fails, but the program exits early. Due to a re-used uninitialized error variable, when no matching attestations are found, the relevant function returns `nil` instead of an error, causing the program to exit with a status code of `0`, which incorrectly suggests successful verification. ### PoC Run `gh attestation verify` with local attestations using the `--bundle` flag and specify a predicate type with `--predicate-type` that you know will not match any of the attestations the command will attempt to verify. Confirm that the command exits with a zero status code. ### Impact Users who rely exclusively on the exit status code of `gh attestation verify` may incorrectly verify an attestation when the attestation's predicate type does not match the specified predicate type in the command.

Affected packages (3)

Go/github.com/cli/clifrom 0
Go/github.com/cli/cli/v2>= 2.49.0, < 2.67.0
Go/github.com/cli/cli/v2>= 2.49.0, < 2.67.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

Description

Affected packages (3)

CVSS scores

References (5)