All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Critical GitHub Copilot Vulnerability Allowed Source Code and Secret Exfiltration

By

greyadept

7mo ago· 9 min readenNews
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Kettled twice. Extra chewy, extra trustworthy.

Score100TypenewsSentimentnegative

Summary

A critical vulnerability (CVSS 9.6) was discovered in GitHub Copilot Chat in June 2025 that allowed attackers to silently exfiltrate secrets and source code from private repositories. The attack combined a novel Content Security Policy (CSP) bypass using GitHub's own infrastructure with remote prompt injection, giving attackers full control over Copilot's responses including the ability to suggest malicious code or links. The vulnerability was reported via HackerOne and GitHub has since addressed the security issue.

Key quotes

· 4 pulled
I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos
The attack combined a novel CSP bypass using GitHub's own infrastructure with remote prompt injection
Gave me full control over Copilot's responses, including suggesting malicious code or links
I reported it via HackerOne, and GitHub has addressed the security issue
Snippet from the RSS feed
Get details on our discovery of a critical vulnerability in GitHub Copilot Chat.

You might also wanna read

How GitHub's Copilot Secret Scanning Uses AI to Detect Passwords in Code

The article details the development and functionality of GitHub's Copilot secret scanning feature, which uses AI to detect generic passwords

GitHub·1y ago

GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery

GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

The Verge·1mo ago

GitHub Copilot: A Powerful AI Tool for Debugging Code

The article explores how GitHub Copilot, an AI-powered coding assistant, can significantly streamline the debugging process for developers.

GitHub·1y ago

VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers

A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot

cybersecuritynews.com·2d ago

Security Researchers Discover ChatGPT Vulnerability That Could Extract Sensitive Gmail Data

Security researchers from Radware discovered a vulnerability called 'Shadow Leak' that allowed ChatGPT to be manipulated into extracting sen

The Verge·8mo ago