GitHub Copilot for JetBrains Remote Code Execution Vulnerability
A critical vulnerability, tracked as CVE-2025-64671, was identified in GitHub Copilot for JetBrains, allowing improper neutralization of special elements used in a command, leading to potential command injection and local code execution. The flaw enables an unauthorized attacker to execute arbitrary code on the affected system, with a CVSS 3.1 base score of 8.4, indicating high severity. The vulnerability is not remotely exploitable but can be triggered locally, either through direct access or by tricking a user into executing malicious commands.
Security advisories from both cvefeed.io and Microsoft confirm the technical details, highlighting that the vulnerability stems from improper handling of command input within the Copilot integration for JetBrains IDEs. No specific affected product versions have been listed yet, but the issue is confirmed and assigned by Microsoft. Organizations using GitHub Copilot for JetBrains are advised to monitor for updates and apply patches as soon as they become available to mitigate the risk of local code execution attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2025-64671 in GitHub Copilot for JetBrains
Microsoft published an MSRC advisory for CVE-2025-64671, a high-severity command-injection flaw in GitHub Copilot for JetBrains that could allow local code execution without privileges or user interaction. The vulnerability was published as part of Microsoft's December 2025 security updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub Copilot Chat Vulnerability Enabling Data Exfiltration via Image Proxy Abuse
A critical vulnerability was discovered in GitHub Copilot Chat that could have allowed attackers to exfiltrate private source code and sensitive secrets from repositories by exploiting the platform’s AI assistant and image proxying service. The flaw, identified by Legit Security researcher Omer Mayraz, involved a sophisticated attack chain that combined remote prompt injection with a bypass of GitHub’s content security policy. Attackers could embed hidden prompts within pull request comments or other repository content, which Copilot Chat would process without proper isolation or validation. This allowed the attacker to manipulate Copilot’s responses and assemble signed image links that leveraged GitHub’s Camo image proxy service to transmit stolen data outside the platform. The exploit, dubbed "CamoLeak," demonstrated that even advanced AI-powered developer tools can be manipulated to leak confidential information, including passwords and private keys, with minimal user awareness. The proof-of-concept attack showed that the exfiltration channel was subtle enough to evade detection by both users and GitHub’s monitoring systems. GitHub Copilot Chat’s context awareness, which enables it to read repository files, pull requests, and other workspace artifacts, was a key factor in the attack’s success, as it provided the AI assistant with access to sensitive data that could be extracted through manipulated prompts. Upon responsible disclosure via HackerOne, GitHub responded by disabling image rendering in Copilot Chat and patching the vulnerability as of August 14. The incident highlights the growing risks associated with integrating AI agents into software development workflows, especially when such agents have broad access to sensitive project data. Security experts noted that while the attack was limited in the amount of data it could exfiltrate at once, the potential impact was significant due to the nature of the information at risk. The case underscores the importance of rigorous security validation for AI-driven features and the need for continuous monitoring of new attack vectors as AI adoption accelerates in development environments. GitHub’s swift response and remediation efforts were commended, but the event serves as a cautionary tale for organizations relying on AI-powered coding assistants. The vulnerability also illustrates the creative lengths attackers may go to bypass security controls, turning legitimate platform features like image proxies into covert data exfiltration channels. The research community continues to scrutinize AI integrations for similar weaknesses, emphasizing the need for secure-by-design principles in next-generation developer tools. Organizations are advised to review their use of AI assistants, ensure prompt application of security updates, and educate developers about the risks of prompt injection and related attacks. The incident has prompted broader discussions about the balance between AI functionality and security, especially as more platforms embed intelligent agents into core workflows. Ultimately, the GitHub Copilot Chat vulnerability demonstrates both the promise and peril of AI in software development, reinforcing the need for vigilance and proactive defense measures.
Apr 10, 2026
RoguePilot Prompt-Injection Flaw in GitHub Codespaces Allowed Copilot to Leak `GITHUB_TOKEN`
Microsoft patched an AI-mediated vulnerability in **GitHub Codespaces** dubbed **RoguePilot** (reported by Orca Security) that could let an attacker seize control of repositories by embedding hidden instructions in a GitHub issue. When a developer launched a Codespace from a malicious issue, the issue text could be automatically ingested by the built-in **GitHub Copilot** agent, enabling *passive/indirect prompt injection* that coerced the agent into executing attacker-directed actions and leaking sensitive credentials—most notably a privileged `GITHUB_TOKEN`—potentially enabling repository takeover and downstream supply-chain impact. The disclosure reinforces a broader risk pattern where **developer tools and AI agents** become high-trust entry points for supply-chain compromise, as highlighted by commentary describing how dev-platform footholds can cascade into cloud and SaaS environments via token theft and trusted integrations. Separate reporting also notes increasing attacker speed and AI-enabled tradecraft, but those items are not specific to RoguePilot; the core actionable takeaway is that AI agents embedded in developer workflows can be manipulated through untrusted content (e.g., issues/PRs) unless strong isolation, least-privilege token scoping, and explicit user confirmation/guardrails prevent autonomous execution and secret exfiltration.
Mar 21, 2026
Git Carriage Return Flaw Enables Code Execution During Submodule Initialization
A high-severity vulnerability tracked as **CVE-2025-48384** affects Git’s handling of configuration values containing trailing carriage returns, creating a path for unintended script execution during submodule initialization. According to Armis, the flaw can be abused when an attacker can influence the relevant configuration context, potentially turning routine clone or submodule operations into code execution. Microsoft’s Security Update Guide also lists the issue, identifying it as a Git/GitHub vulnerability. Public exploit activity quickly followed disclosure, with multiple GitHub repositories publishing proof-of-concept material for **CVE-2025-48384**, including variants described as working over HTTPS and others explicitly labeling the issue as carriage-return-driven remote code execution on cloning. The appearance of several PoC repositories indicates that exploit details are broadly accessible, increasing the likelihood of weaponization against developers and build environments that process untrusted repositories or submodules.
May 25, 2026