VulnWatch VulnWatch
← Back to dashboard
High github · GHSA-9ccr-r5hg-74gf

GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor

Published May 11, 2026 CVSS 0.0

Summary

A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.

Details

Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a .git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.

The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.

Attack Scenario

An attacker can exploit this by:

  1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., vendor/malicious.git/ or a deeply nested subdirectory)
  2. Configuring core.fsmonitor (or similar keys) in that bare repository to execute a malicious command
  3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command

This can occur when:

  • The agent navigates into a subdirectory containing the buried bare repo
  • The agent runs git status, git diff, or other routine git commands
  • The agent uses tools like grep or glob that may trigger git operations in subdirectories

Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.

Impact

An attacker who can place a malicious bare repository inside a project — for example, through:

  • A pull request adding a directory that contains a bare repository
  • A compromised or malicious dependency that includes a bare repository
  • A cloned repository that already contains nested bare repositories

— could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.

Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.

Affected Versions

  • GitHub Copilot CLI versions prior to 1.0.42

Remediation and Mitigation

Fix

The fix sets safe.bareRepository=explicit via git's GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used.

User Actions

  1. Upgrade GitHub Copilot CLI to 1.0.43 or later.
  2. Exercise caution when working in repositories that contain nested bare git repositories.
  3. Review project directories for unexpected bare repositories, especially in vendor/, third_party/, or deeply nested subdirectories.
Remote Code Execution

Affected AI Products

github copilot copilot
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.