CVE-2026-45033 - GitHub Copilot CLI nested bare repo RCE

GitHub Copilot CLI versions before 1.0.43 could execute commands from a malicious bare Git repository nested inside a normal-looking project tree. The danger is Git’s directory traversal: when an agent runs routine Git operations, Git can discover a buried bare repository, load its config, and honor executable settings such as core.fsmonitor, core.hookspath, diff.external, or merge tool commands.

This recipe is for repositories that pin Copilot CLI, ship agent runtime wrappers, import third-party source trees, or run coding agents on pull-request content. A dependency bump is necessary, but production reviewers should also look for agent shell wrappers that force safe.bareRepository=explicit and for repo-intake checks that reject unexpected bare repositories.

When to use it

Use this recipe when a repository, agent workbench, CI job, or developer machine image installs GitHub Copilot CLI and runs it inside untrusted or model-modified workspaces. It is aimed at source-code remediation, Git workspace hygiene, supply-chain hardening, and audit evidence that nested bare repositories cannot influence agent Git operations.

Inputs

  • @github/copilot package version, lockfiles, install scripts, devcontainer images, CI jobs, and agent workspace bootstrap commands.
  • Git config defaults including safe.bareRepository, global/system config, template directories, hook paths, diff/merge tools, and fsmonitor settings.
  • Safe fixture repositories that include benign nested bare repos and expected reject behavior without executing hooks or external commands.
  • Evidence of workspace trust boundaries: downloaded archives, generated code, user uploads, cloned third-party repos, and model-created directories.

Affected versions

  • Vulnerable: @github/copilot <=1.0.42
  • Fixed: @github/copilot 1.0.43+
  • Affected surface: Copilot CLI or automation that runs Git commands in untrusted, pull-request-supplied, vendored, generated, or dependency-sourced directories.
  • Fixed behavior: Copilot CLI sets Git config precedence so safe.bareRepository=explicit prevents automatic bare repository discovery.

Indicator-of-exposure

  • The repository pins @github/copilot, installs GitHub Copilot CLI in CI, or documents a local agent runtime using Copilot CLI.
  • Automated agents run git status, git diff, git rev-parse, grep, search, dependency inspection, or code generation against untrusted branches, pull-request artifacts, vendored trees, extracted archives, or downloaded dependencies.
  • Source-intake policy does not reject directories ending in .git that are not the repository root’s .git metadata.
  • Agent launch scripts do not set safe.bareRepository=explicit with high-precedence Git config environment variables.
  • The runtime has GitHub tokens, SSH keys, package registry tokens, cloud credentials, model provider keys, or writable source/workspace access.

Quick checks:

rg -n "@github/copilot|copilot-cli|safe\.bareRepository|GIT_CONFIG_COUNT|core\.fsmonitor|core\.hookspath|diff\.external|merge\.tool|\.git" .
npm ls @github/copilot
pnpm why @github/copilot
yarn why @github/copilot
find . -type d -name "*.git" -not -path "./.git" -prune -print

Windows:

rg -n "@github/copilot|copilot-cli|safe\.bareRepository|GIT_CONFIG_COUNT|core\.fsmonitor|core\.hookspath|diff\.external|merge\.tool|\.git" .
npm ls @github/copilot
pnpm why @github/copilot
yarn why @github/copilot
Get-ChildItem -Force -Recurse -Directory -Filter *.git | Where-Object { $_.FullName -ne (Join-Path (Get-Location) ".git") } | Select-Object -ExpandProperty FullName

Do not run Git commands inside suspicious nested bare repositories during triage unless the environment is isolated and all executable Git config has already been neutralized.

Remediation strategy

  • Upgrade every repository-controlled @github/copilot dependency, install script, lockfile, agent image, and developer-bootstrap path to 1.0.43+.
  • Set safe.bareRepository=explicit in agent shell wrappers and CI agent launchers using high-precedence Git config environment variables, especially where older global Git config or alternate CLIs may still run.
  • Add repository-intake checks that reject unexpected nested bare repositories in pull requests, vendored archives, generated artifacts, and dependency source drops.
  • Treat nested .git directories as executable content until reviewed. If one is required for tests or fixtures, document it, make it inert, and exclude it from agent working directories.
  • Rotate credentials if a vulnerable agent processed an untrusted tree that contained a nested bare repository with executable Git config.

The prompt

You are remediating CVE-2026-45033 / GHSA-9ccr-r5hg-74gf, the GitHub Copilot
CLI nested bare Git repository command-execution issue. Produce exactly one
output:

- A reviewer-ready PR/change request that upgrades Copilot CLI, hardens Git
  bare-repository handling for agent runtimes, rejects suspicious nested bare
  repositories, refreshes generated artifacts, and documents operator cleanup,
  or
- TRIAGE.md if this repository does not own a vulnerable Copilot CLI install,
  agent wrapper, or source-intake boundary.

## Rules

- Scope only CVE-2026-45033 / GHSA-9ccr-r5hg-74gf and directly related Git
  discovery hardening for coding-agent workspaces.
- Treat GitHub tokens, SSH keys, signing keys, package registry tokens, cloud
  credentials, model provider keys, source code, agent transcripts, and local
  workstation files as sensitive.
- Do not run Git commands inside suspicious nested bare repositories, execute
  attacker-controlled Git config, clone unknown exploit repositories, or print
  secrets to prove exposure.
- Do not remove dependency integrity checks, source provenance checks, or agent
  sandboxing to make the upgrade pass.
- Do not auto-merge.

## Steps

1. Inventory every Copilot CLI and coding-agent runtime controlled by this
   repository: `package.json`, lockfiles, Dockerfiles, devcontainers, CI
   images, bootstrap scripts, task runners, shell wrappers, IDE setup docs,
   agent config, SBOMs, and generated dependency reports.
2. Determine every resolved `@github/copilot` version. A target is vulnerable
   if it resolves to `<=1.0.42`.
3. Search for Git invocation surfaces used by agents: `git status`,
   `git diff`, `git rev-parse`, `git grep`, repository discovery helpers,
   source indexing, dependency extraction, archive unpacking, PR checkout, and
   vendored-code scanning.
4. Search for nested bare repository intake risks:
   directories named `*.git`, directories with bare-repo `HEAD` and `config`
   files, vendored archives, fixtures, generated source drops, dependency
   mirrors, and PR-added binary/archive content.
5. If this repository only documents Copilot usage but does not pin, install,
   launch, or wrap Copilot CLI, stop with `TRIAGE.md` listing checked files and
   the required user action: upgrade Copilot CLI to `1.0.43+`.
6. Upgrade all controlled Copilot CLI installs to `@github/copilot 1.0.43+`.
   Refresh lockfiles, package-manager metadata, images, SBOMs, bootstrap docs,
   and dependency reports.
7. Add Git hardening where the repository controls an agent launcher:
   - set `safe.bareRepository=explicit` using `GIT_CONFIG_COUNT`,
     `GIT_CONFIG_KEY_*`, and `GIT_CONFIG_VALUE_*`;
   - preserve existing Git config entries by appending rather than replacing
     them;
   - apply the setting to all child processes that may run Git;
   - fail closed when the launcher cannot confirm the hardening is active.
8. Add source-intake defenses:
   - reject unexpected nested directories ending in `.git`;
   - reject bare repositories found under `vendor`, `third_party`, generated
     source, extracted archives, or PR artifacts unless explicitly allow-listed;
   - document any allow-listed fixture and prove it contains no executable Git
     config.
9. Add safe regression checks:
   - dependency policy rejects `@github/copilot <=1.0.42`;
   - agent launcher tests assert `safe.bareRepository=explicit` is present in
     the child-process environment;
   - repository-intake tests detect a synthetic inert nested bare repo without
     executing its config;
   - logs redact tokens, local paths that expose usernames, and source snippets.
10. Add a PR body section named `CVE-2026-45033 operator actions` that states:
    - Copilot CLI versions before and after;
    - which agent runtimes or bootstrap scripts were hardened;
    - whether any nested bare repositories were found and how they were
      handled;
    - whether vulnerable agents processed untrusted PRs, dependencies, or
      archives;
    - which credentials should be rotated if suspicious nested repos were
      present;
    - which validation commands passed.
11. Run relevant validation: package install, lockfile integrity, launcher
    tests, source-intake tests, lint/typecheck, container build, SBOM refresh,
    dependency/security scans, and any agent runtime smoke tests that do not
    execute untrusted Git config.
12. Use PR title:
    `fix(sec): remediate CVE-2026-45033 in Copilot CLI`.

## Stop conditions

- No controlled Copilot CLI install, wrapper, CI image, devcontainer, or agent
  runtime exists.
- A fixed Copilot CLI cannot be consumed because the runtime is externally
  managed; document the owner and required version in `TRIAGE.md`.
- Validation would require executing attacker-controlled Git config or running
  Git inside a suspicious nested bare repository.
- Nested bare repositories are intentionally required and ownership cannot be
  established; require human security review before allow-listing.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Copilot CLI, forces safe Git defaults, detects/rejects nested bare repositories, adds regression tests, and documents workspace cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, Git config boundary, required fix, and residual workspace risk.
  • The output must include exact validation commands and must not execute hooks, external diff/merge tools, fsmonitor commands, or untrusted repo code.

Verification - what the reviewer looks for

  • No controlled dependency, lockfile, image, bootstrap script, or dependency report resolves @github/copilot <=1.0.42.
  • Agent launchers set safe.bareRepository=explicit for child Git processes.
  • Source-intake checks reject unexpected nested bare repositories before agents run Git in those directories.
  • Tests use inert fixtures and do not execute attacker-controlled Git config.
  • Operator notes cover credential rotation if vulnerable agents processed suspicious source trees.

Watch for

  • Updating package.json while a global npm install, devcontainer image, or agent bootstrap script still installs an older Copilot CLI.
  • Scanning nested .git directories with Git itself before neutralizing executable config.
  • Replacing existing GIT_CONFIG_COUNT entries and accidentally dropping other security-critical Git overrides.
  • Allow-listing test fixtures without proving they are inert.
  • Treating this as a developer-only issue when CI and autonomous coding agents may process untrusted pull-request content.

References