Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN273
_____________________________________________________________________

DATE                : 09/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitHub Copilot versions prior
                                      to 0.0.423.

=====================================================================
https://github.com/github/copilot-cli/security/advisories/GHSA-g8r9-g2v8-jv6f
_____________________________________________________________________


Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution
High
andyfeller published GHSA-g8r9-g2v8-jv6f Mar 6, 2026

Package
@github/copilot (npm)

Affected versions
<= 0.0.422

Patched versions
0.0.423


Description

Summary

A security vulnerability has been identified in GitHub Copilot CLI's
shell tool that could allow arbitrary code execution through crafted
bash parameter expansion patterns. An attacker who can influence the
commands executed by the agent (e.g., via prompt injection through
repository files, MCP server responses, or user instructions) can
exploit bash parameter transformation operators to execute hidden
commands, bypassing the safety assessment that classifies commands
as "read-only."
Details

The vulnerability stems from how the CLI's shell safety assessment
evaluates commands before execution. The safety layer parses and
classifies shell commands as either read-only (safe) or write-capable
(requires user approval). However, several bash parameter expansion
features can embed executable code within arguments to otherwise
read-only commands, causing them to appear safe while actually
performing arbitrary operations.

The specific dangerous patterns are:

    ${var@P} — Prompt expansion: The @P parameter transformation
operator evaluates its value as a prompt string, which interprets
embedded command substitutions. This allows hidden command
execution inside what appears to be a simple variable reference.

    ${var=value} / ${var:=value} — Assignment side-effects: These
forms assign values to variables as a side-effect of expansion.
When chained with @P, an attacker can progressively build up a
command substitution string across multiple expansions.

    ${!var} — Indirect expansion: Dereferences an arbitrary
variable name, which can be combined with other patterns to
construct and execute commands dynamically.

    Nested $(cmd) or <(cmd) inside ${...} expansions: Command
substitution or process substitution embedded within parameter
expansion default values (e.g., ${HOME:-$(whoami)}) executes
the nested command.

Proof of Concept

The following command appears to run a harmless echo, but
actually executes touch /tmp/pwned through chained parameter
expansion:

echo ${a="$"}${b="$a(touch /tmp/pwned)"}${b@P}

How it works:

    ${a="$"} assigns the literal $ character to variable a
    ${b="$a(touch /tmp/pwned)"} expands $a to $, constructing
the string $(touch /tmp/pwned) and assigning it to b
    ${b@P} applies prompt expansion to b, which evaluates the
embedded $(touch /tmp/pwned) command substitution

Prior to the fix, the safety assessment would classify echo as
a read-only command and allow execution without user
confirmation — even in modes that normally require approval
for write operations.


Impact

An attacker who can influence command text sent to the shell
tool — for example, through:

    Prompt injection via malicious repository content (README
files, code comments, issue bodies)
    Compromised or malicious MCP server responses
    Crafted user instructions containing obfuscated commands

— could achieve arbitrary code execution on the user's workstation.
This is possible even in permission modes that require user
approval for write operations, since the commands can appear to be
using only read-only utilities to ultimately trigger write
operations.

Successful exploitation could lead to data exfiltration, file
modification, or further system compromise.


Affected Versions

    GitHub Copilot CLI versions prior to 0.0.423

Remediation and Mitigation

Fix

The fix adds two layers of defense:

    Parse-time detection: The shell safety assessment analyzes ${...}
expansion nodes within bash commands, detecting dangerous operators
(@P, =, :=, !) and nested command/process substitutions. Commands
containing these patterns are downgraded from read-only to
write-capable, ensuring they require user approval.

    Unconditional blocking: Commands with dangerous expansion patterns
are unconditionally blocked at the tool execution layer — regardless
of permission mode (including --yolo / autopilot). This prevents
exploitation even when all commands are auto-approved.

    System prompt hardening: The bash shell tool's system prompt now
includes explicit instructions for the LLM to refuse executing
commands with these patterns, providing a defense-in-depth layer.

User Actions

    Upgrade GitHub Copilot CLI to 0.0.423 or later.
    Exercise caution when working in untrusted repositories or with
untrusted MCP servers.
    Review any shell commands suggested by the agent that contain
complex parameter expansion patterns.


Severity
High
7.5/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-29783

Weaknesses
Weakness CWE-78


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================