DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29783: CVE-2026-29783: Command Injection via Bash Parameter Expansion in GitHub Copilot CLI

#security #cve #cybersecurity

CVE-2026-29783: Command Injection via Bash Parameter Expansion in GitHub Copilot CLI

Vulnerability ID: CVE-2026-29783
CVSS Score: 7.5
Published: 2026-03-06

A critical command injection vulnerability exists in the GitHub Copilot CLI's shell safety assessment layer, affecting versions 0.0.422 and prior. The vulnerability allows attackers to bypass the CLI's "read-only" safety checks by leveraging advanced Bash parameter expansion features, specifically prompt expansion (${var@P}) and assignment operators. When the CLI processes a seemingly benign command containing these payloads, the shell evaluates the expansion, resulting in arbitrary code execution on the user's workstation.

TL;DR

GitHub Copilot CLI versions ≤ 0.0.422 contain a command injection flaw where shell safety checks fail to sanitize Bash parameter expansions. Attackers can inject payloads like ${var@P} into command arguments to execute arbitrary code when the user runs a suggested command. Fixed in version 0.0.423.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-29783
  • CVSS v4.0: 7.5 (High)
  • CWE: CWE-78 (OS Command Injection)
  • Attack Vector: Network (Prompt Injection)
  • Affected Versions: <= 0.0.422
  • Fixed Version: 0.0.423
  • Platform: Cross-Platform (Bash environments)

Affected Systems

  • GitHub Copilot CLI
  • github/copilot-cli: <= 0.0.422 (Fixed in: 0.0.423)

Code Analysis

Commit: 7aa08b3

Fix for CVE-2026-29783: Implement recursive parser for Bash expansion safety.

No public diff available; see advisory.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Proof of concept using echo and variable prompt expansion.

Mitigation Strategies

  • Update GitHub Copilot CLI to version 0.0.423 or later.
  • Avoid using automated execution flags (e.g., --yolo) on untrusted codebases.
  • Monitor shell history for suspicious parameter expansion patterns.

Remediation Steps:

  1. Run npm install -g @github/copilot-cli to update the global package.
  2. Verify the installation by running github-copilot-cli --version.
  3. Restart any active terminal sessions to ensure the new binary is loaded.

References

Read the full report for CVE-2026-29783 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)