CVE-2026-45033 - GitHub Copilot CLI nested bare repo RCE
GitHub Copilot CLI versions before 1.0.43 could execute commands from a
malicious bare Git repository nested inside a normal-looking project tree. The
danger is Git’s directory traversal: when an agent runs routine Git operations,
Git can discover a buried bare repository, load its config, and honor executable
settings such as core.fsmonitor, core.hookspath, diff.external, or merge
tool commands.
This recipe is for repositories that pin Copilot CLI, ship agent runtime
wrappers, import third-party source trees, or run coding agents on pull-request
content. A dependency bump is necessary, but production reviewers should also
look for agent shell wrappers that force safe.bareRepository=explicit and for
repo-intake checks that reject unexpected bare repositories.
When to use it
Use this recipe when a repository, agent workbench, CI job, or developer machine image installs GitHub Copilot CLI and runs it inside untrusted or model-modified workspaces. It is aimed at source-code remediation, Git workspace hygiene, supply-chain hardening, and audit evidence that nested bare repositories cannot influence agent Git operations.
Inputs
@github/copilotpackage version, lockfiles, install scripts, devcontainer images, CI jobs, and agent workspace bootstrap commands.- Git config defaults including
safe.bareRepository, global/system config, template directories, hook paths, diff/merge tools, and fsmonitor settings. - Safe fixture repositories that include benign nested bare repos and expected reject behavior without executing hooks or external commands.
- Evidence of workspace trust boundaries: downloaded archives, generated code, user uploads, cloned third-party repos, and model-created directories.
Affected versions
- Vulnerable:
@github/copilot <=1.0.42 - Fixed:
@github/copilot 1.0.43+ - Affected surface: Copilot CLI or automation that runs Git commands in untrusted, pull-request-supplied, vendored, generated, or dependency-sourced directories.
- Fixed behavior: Copilot CLI sets Git config precedence so
safe.bareRepository=explicitprevents automatic bare repository discovery.
Indicator-of-exposure
- The repository pins
@github/copilot, installs GitHub Copilot CLI in CI, or documents a local agent runtime using Copilot CLI. - Automated agents run
git status,git diff,git rev-parse,grep, search, dependency inspection, or code generation against untrusted branches, pull-request artifacts, vendored trees, extracted archives, or downloaded dependencies. - Source-intake policy does not reject directories ending in
.gitthat are not the repository root’s.gitmetadata. - Agent launch scripts do not set
safe.bareRepository=explicitwith high-precedence Git config environment variables. - The runtime has GitHub tokens, SSH keys, package registry tokens, cloud credentials, model provider keys, or writable source/workspace access.
Quick checks:
rg -n "@github/copilot|copilot-cli|safe\.bareRepository|GIT_CONFIG_COUNT|core\.fsmonitor|core\.hookspath|diff\.external|merge\.tool|\.git" .
npm ls @github/copilot
pnpm why @github/copilot
yarn why @github/copilot
find . -type d -name "*.git" -not -path "./.git" -prune -print
Windows:
rg -n "@github/copilot|copilot-cli|safe\.bareRepository|GIT_CONFIG_COUNT|core\.fsmonitor|core\.hookspath|diff\.external|merge\.tool|\.git" .
npm ls @github/copilot
pnpm why @github/copilot
yarn why @github/copilot
Get-ChildItem -Force -Recurse -Directory -Filter *.git | Where-Object { $_.FullName -ne (Join-Path (Get-Location) ".git") } | Select-Object -ExpandProperty FullName
Do not run Git commands inside suspicious nested bare repositories during triage unless the environment is isolated and all executable Git config has already been neutralized.
Remediation strategy
- Upgrade every repository-controlled
@github/copilotdependency, install script, lockfile, agent image, and developer-bootstrap path to1.0.43+. - Set
safe.bareRepository=explicitin agent shell wrappers and CI agent launchers using high-precedence Git config environment variables, especially where older global Git config or alternate CLIs may still run. - Add repository-intake checks that reject unexpected nested bare repositories in pull requests, vendored archives, generated artifacts, and dependency source drops.
- Treat nested
.gitdirectories as executable content until reviewed. If one is required for tests or fixtures, document it, make it inert, and exclude it from agent working directories. - Rotate credentials if a vulnerable agent processed an untrusted tree that contained a nested bare repository with executable Git config.
The prompt
You are remediating CVE-2026-45033 / GHSA-9ccr-r5hg-74gf, the GitHub Copilot
CLI nested bare Git repository command-execution issue. Produce exactly one
output:
- A reviewer-ready PR/change request that upgrades Copilot CLI, hardens Git
bare-repository handling for agent runtimes, rejects suspicious nested bare
repositories, refreshes generated artifacts, and documents operator cleanup,
or
- TRIAGE.md if this repository does not own a vulnerable Copilot CLI install,
agent wrapper, or source-intake boundary.
## Rules
- Scope only CVE-2026-45033 / GHSA-9ccr-r5hg-74gf and directly related Git
discovery hardening for coding-agent workspaces.
- Treat GitHub tokens, SSH keys, signing keys, package registry tokens, cloud
credentials, model provider keys, source code, agent transcripts, and local
workstation files as sensitive.
- Do not run Git commands inside suspicious nested bare repositories, execute
attacker-controlled Git config, clone unknown exploit repositories, or print
secrets to prove exposure.
- Do not remove dependency integrity checks, source provenance checks, or agent
sandboxing to make the upgrade pass.
- Do not auto-merge.
## Steps
1. Inventory every Copilot CLI and coding-agent runtime controlled by this
repository: `package.json`, lockfiles, Dockerfiles, devcontainers, CI
images, bootstrap scripts, task runners, shell wrappers, IDE setup docs,
agent config, SBOMs, and generated dependency reports.
2. Determine every resolved `@github/copilot` version. A target is vulnerable
if it resolves to `<=1.0.42`.
3. Search for Git invocation surfaces used by agents: `git status`,
`git diff`, `git rev-parse`, `git grep`, repository discovery helpers,
source indexing, dependency extraction, archive unpacking, PR checkout, and
vendored-code scanning.
4. Search for nested bare repository intake risks:
directories named `*.git`, directories with bare-repo `HEAD` and `config`
files, vendored archives, fixtures, generated source drops, dependency
mirrors, and PR-added binary/archive content.
5. If this repository only documents Copilot usage but does not pin, install,
launch, or wrap Copilot CLI, stop with `TRIAGE.md` listing checked files and
the required user action: upgrade Copilot CLI to `1.0.43+`.
6. Upgrade all controlled Copilot CLI installs to `@github/copilot 1.0.43+`.
Refresh lockfiles, package-manager metadata, images, SBOMs, bootstrap docs,
and dependency reports.
7. Add Git hardening where the repository controls an agent launcher:
- set `safe.bareRepository=explicit` using `GIT_CONFIG_COUNT`,
`GIT_CONFIG_KEY_*`, and `GIT_CONFIG_VALUE_*`;
- preserve existing Git config entries by appending rather than replacing
them;
- apply the setting to all child processes that may run Git;
- fail closed when the launcher cannot confirm the hardening is active.
8. Add source-intake defenses:
- reject unexpected nested directories ending in `.git`;
- reject bare repositories found under `vendor`, `third_party`, generated
source, extracted archives, or PR artifacts unless explicitly allow-listed;
- document any allow-listed fixture and prove it contains no executable Git
config.
9. Add safe regression checks:
- dependency policy rejects `@github/copilot <=1.0.42`;
- agent launcher tests assert `safe.bareRepository=explicit` is present in
the child-process environment;
- repository-intake tests detect a synthetic inert nested bare repo without
executing its config;
- logs redact tokens, local paths that expose usernames, and source snippets.
10. Add a PR body section named `CVE-2026-45033 operator actions` that states:
- Copilot CLI versions before and after;
- which agent runtimes or bootstrap scripts were hardened;
- whether any nested bare repositories were found and how they were
handled;
- whether vulnerable agents processed untrusted PRs, dependencies, or
archives;
- which credentials should be rotated if suspicious nested repos were
present;
- which validation commands passed.
11. Run relevant validation: package install, lockfile integrity, launcher
tests, source-intake tests, lint/typecheck, container build, SBOM refresh,
dependency/security scans, and any agent runtime smoke tests that do not
execute untrusted Git config.
12. Use PR title:
`fix(sec): remediate CVE-2026-45033 in Copilot CLI`.
## Stop conditions
- No controlled Copilot CLI install, wrapper, CI image, devcontainer, or agent
runtime exists.
- A fixed Copilot CLI cannot be consumed because the runtime is externally
managed; document the owner and required version in `TRIAGE.md`.
- Validation would require executing attacker-controlled Git config or running
Git inside a suspicious nested bare repository.
- Nested bare repositories are intentionally required and ownership cannot be
established; require human security review before allow-listing.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades Copilot CLI, forces safe Git defaults, detects/rejects nested bare repositories, adds regression tests, and documents workspace cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, Git config boundary, required fix, and residual workspace risk. - The output must include exact validation commands and must not execute hooks, external diff/merge tools, fsmonitor commands, or untrusted repo code.
Verification - what the reviewer looks for
- No controlled dependency, lockfile, image, bootstrap script, or dependency
report resolves
@github/copilot <=1.0.42. - Agent launchers set
safe.bareRepository=explicitfor child Git processes. - Source-intake checks reject unexpected nested bare repositories before agents run Git in those directories.
- Tests use inert fixtures and do not execute attacker-controlled Git config.
- Operator notes cover credential rotation if vulnerable agents processed suspicious source trees.
Watch for
- Updating
package.jsonwhile a global npm install, devcontainer image, or agent bootstrap script still installs an older Copilot CLI. - Scanning nested
.gitdirectories with Git itself before neutralizing executable config. - Replacing existing
GIT_CONFIG_COUNTentries and accidentally dropping other security-critical Git overrides. - Allow-listing test fixtures without proving they are inert.
- Treating this as a developer-only issue when CI and autonomous coding agents may process untrusted pull-request content.
Related recipes
- Source code supply chain build integrity audit
- Source code attack surface map
- Source code injection sink audit
- SAST finding triage and fix