A newly disclosed security vulnerability in GitHub Copilot CLI allows attackers to achieve arbitrary code execution by embedding a malicious bare Git repository inside a project directory.
The flaw, tracked as CVE-2026-45033 and published under advisory GHSA-9ccr-r5hg-74gf, affects all versions of the @github/copilot npm package up to and including v1.0.42. GitHub has patched the issue in v1.0.43, released on May 8, 2026.
At its core, the vulnerability stems from how Git handles bare repositories that contain version control data but no working tree. Git’s directory traversal logic automatically discovers bare repositories as it walks up or down the file hierarchy, reading and applying their configuration.
The danger lies in Git configuration keys like core.fsmonitor, core.hookspath, diff.external, and merge.tool over 15 such keys exist that allow arbitrary shell commands to be specified and automatically executed during routine Git operations, such as git status, git diff, or git rev-parse.
CVE-2026-45033: GitHub Copilot Vulnerability
When GitHub Copilot CLI performs a Git operation while traversing a directory, it can inadvertently trigger the auto-discovery of a buried bare repository. Once discovered, Git reads that repository’s configuration and executes whatever command the attacker embedded all without user awareness or approval.
The attack chain is deceptively simple and requires no elevated privileges on the attacker’s part. Here is how a threat actor can exploit CVE-2026-45033:
- Plant the repository – An attacker creates a bare Git repository nested inside a seemingly legitimate project directory, such as
vendor/malicious.git/or a deeply embedded subdirectory. - Embed the payload – The attacker sets
core.fsmonitor(or a similar executable config key) in the bare repository’s config file to point to a malicious shell command. - Wait for the trigger – When the victim uses GitHub Copilot CLI to perform any Git operation, or even when the CLI uses tools like grep or glob that indirectly invoke Git, the bare repository is automatically discovered, and the malicious command runs silently.
The malicious bare repository can be introduced through multiple realistic vectors: a pull request that adds a seemingly harmless directory, a compromised npm or third-party dependency, or a pre-poisoned cloned repository that already contains nested bare repos.
This attack technique is not theoretical. Red team researchers have already demonstrated how core.fsmonitor can be weaponized for initial access, simply opening a malicious folder in a common IDE like VS Code or Cursor is enough to fire the payload without any additional user interaction.
Successful exploitation of CVE-2026-45033 can lead to severe consequences on the victim’s workstation, including:
- Data exfiltration – sensitive files, tokens, or credentials silently sent to attacker-controlled infrastructure
- Credential theft – SSH keys, API tokens, or
.envfiles harvested from the developer environment - File modification – source code or configuration files tampered with to introduce backdoors
- Full system compromise – arbitrary command execution with the victim developer’s privileges
The vulnerability is classified under CWE-696: Incorrect Behavior Order, meaning the software performs multiple related behaviors in the wrong sequence, thereby producing exploitable weaknesses.
Specifically, GitHub Copilot CLI performed Git operations before validating or restricting which repositories Git was allowed to auto-discover, a critical ordering flaw that permitted unvalidated bare repository configurations to be applied with full execution authority.
GitHub resolved the vulnerability by enforcing the safe.bareRepository=explicit setting via Git’s environment variable mechanism using GIT_CONFIG_COUNT, GIT_CONFIG_KEY_*, and GIT_CONFIG_VALUE_* which carries the highest configuration precedence, overriding all config files on disk.
With this setting active, Git will no longer automatically discover and apply configuration from bare repositories encountered during directory traversal. Only explicitly allowlisted bare repositories are honored. This surgical fix neutralizes the auto-discovery attack vector entirely without breaking legitimate Copilot CLI functionality.
Remediation
All GitHub Copilot CLI users should take the following actions immediately:
- Upgrade the
@github/copilotnpm package to v1.0.43 or later to apply the official patch - Audit project directories, especially
vendor/,third_party/, and deeply nested subdirectories for unexpected bare repositories (directories ending in.gitwithout a working tree) - Inspect dependencies for bundled bare repositories that may have been introduced via compromised packages.
- Apply caution when cloning external repositories or merging pull requests from untrusted contributors until the upgrade is confirmed.
FAQ
Q1: What is CVE-2026-45033?
It is a moderate-severity arbitrary code execution flaw in GitHub Copilot CLI (≤ v1.0.42) triggered by malicious bare Git repositories via core.fsmonitor.
Q2: Which versions of GitHub Copilot CLI are affected?
All versions of the @github/copilot npm package at or below v1.0.42 are vulnerable; the patch is in v1.0.43.
Q3: How does safe.bareRepository=explicit prevent the attack?
It forces Git to ignore automatically discovered bare repositories during directory traversal, accepting only explicitly configured ones, blocking the attack vector entirely.
Q4: Can this vulnerability be exploited through a pull request?
Yes, an attacker can submit a PR that adds a directory containing a malicious bare repository, which will execute arbitrary commands once the victim uses Copilot CLI in that project.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
