CVE-2026-45803— gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

转义、元或控制序列转义处理不恰当

GitHub CLI 安全漏洞

GitHub CLI是GitHub CLI开源的一个命令行上的 GitHub。 GitHub CLI 1.6.0至2.92.0之前版本存在安全漏洞，该漏洞源于处理GitHub Actions工作流日志时未清理终端控制序列，可能导致攻击者通过PR触发的工作流嵌入转义序列，在用户查看日志时改变窗口标题、操纵屏幕内容或在某些终端模拟器中执行任意命令。以下版本受到影响：1.6.0版本至2.92.0之前版本。

N/A

N/A