Critical Security Update: Patches for CVE-2025-58189 and CVE-2025-61725 in GitHub CLI on Fedora 43

 

Critical security update for Fedora 43: Patch CVE-2025-58189 & CVE-2025-61725 in the GitHub CLI (gh) tool now. This guide covers the vulnerabilities, update instructions, and best practices for Linux system security. Secure your DevOps workflow today. 

Urgent Fedora 43 gh Update Mitigates High-Severity Vulnerabilities

Are you managing your GitHub repositories and infrastructure directly from the Linux command line? If you're a Fedora 43 user leveraging the powerful GitHub CLI (gh), a critical security update demands your immediate attention. 

The release of gh version 2.83.0 addresses two significant Common Vulnerabilities and Exposures (CVEs)—CVE-2025-58189 and CVE-2025-61725—that could impact your system's security and performance. This isn't just a routine patch; it's an essential safeguard for your development workflow.

Maintaining a secure software supply chain is paramount in modern DevOps and system administration. This advisory provides a comprehensive breakdown of the threats, the updated package, and step-by-step instructions to secure your system, ensuring you can continue your work with confidence and authority.

Understanding the Security Threats: CVE-2025-58189 and CVE-2025-61725

To appreciate the urgency of this update, let's dissect the specific vulnerabilities. The Red Hat Bugzilla entries, 2408169 and 2408706, serve as the primary sources for this information, detailing the technical underpinnings of these flaws.

• CVE-2025-58189: ALPN Negotiation Information Disclosure Flaw: This vulnerability resides within the go crypto/tls library, a dependency of the GitHub CLI. During an Application-Layer Protocol Negotiation (ALPN) error, the tool could leak information controlled by a potential attacker. In practice, this could allow a malicious actor to manipulate error messages, potentially revealing sensitive internal data about your system or network configuration, a critical concern for enterprise security.

• CVE-2025-61725: Excessive CPU Consumption via Net/Mail: The second vulnerability is a Denial-of-Service (DoS) vector found in the ParseAddress function of Go's net/mail package. An attacker could craft a specially designed email address that, when processed by the gh tool, causes excessive CPU consumption. This could lead to system resource exhaustion, rendering your machine unresponsive and disrupting critical development or deployment pipelines.

The Role of GitHub CLI in Modern Development Workflows

For those unfamiliar, the GitHub CLI tool, or gh, is an indispensable utility for developers and sysadmins. It extends GitHub's functionality directly into the terminal, enabling users to manage pull requests, issues, repositories, and CI/CD checks without context-switching to a web browser. Its integration into scripting and automation makes it a cornerstone of efficient, agile development practices. 

Consequently, a vulnerability in such a centrally connected tool has a high potential impact, making this update a top priority for anyone invested in Linux security and software development lifecycle management.

Step-by-Step Guide to Applying the Fedora 43 Update

Resolving these critical security issues is a straightforward process using Fedora's powerful DNF package manager. The following instructions will guide you through securing your system.

To install this update, run the following command in your terminal:

bash

sudo dnf upgrade --advisory FEDORA-2025-6981d97f47

This command specifically targets the advisory, ensuring you receive the correct patched version. For a more general update check that will also include this fix, you can execute:

bash

sudo dnf update gh

What is the specific command to update the GitHub CLI on Fedora 43? You can update the gh package and resolve these CVEs by running sudo dnf update gh or by directly applying the advisory with sudo dnf upgrade --advisory FEDORA-2025-6981d97f47.

Following the update, we highly recommend restarting any active terminals or shell sessions to ensure all running instances of gh are refreshed with the patched binary. This is a fundamental best practice in Linux system administration after applying security patches.

Proactive Security Posture and Vulnerability Management

This incident highlights the importance of a proactive approach to cybersecurity. Relying on timely vulnerability scanning and patch management is non-negotiable. For organizations, employing a centralized patch management system can automate this process, reducing the window of exposure.

The Fedora Project's security team, in collaboration with Red Hat's product security, demonstrates a robust framework by rapidly identifying, documenting, and distributing this patch. Their authoritative sources, like the official Bugzilla entries, provide the transparency needed for trust.

The Bigger Picture: Open Source Software Supply Chain Security

Vulnerabilities in ubiquitous tools like gh underscore the interconnected nature of the open-source software supply chain. A flaw in a core Go library can cascade into numerous applications. This event serves as a reminder to:

• Subscribe to security mailing lists for your distribution.

• Regularly audit the dependencies in your own projects.

• Integrate software composition analysis (SCA) tools into your CI/CD pipelines.

Frequently Asked Questions (FAQ)

Q: What is the GitHub CLI (gh) tool used for?

A: The GitHub CLI is a command-line interface that allows you to interact with GitHub directly from your terminal. It enables you to manage pull requests, issues, Gists, repositories, and automate workflows through scripts, significantly enhancing developer productivity.

Q: How critical are these CVE vulnerabilities?

A: Both are considered serious. CVE-2025-58189 is an information disclosure flaw that could leak sensitive data, while CVE-2025-61725 is a resource exhaustion vulnerability that could lead to a denial-of-service condition. Applying the patch is highly recommended.

Can I check my current gh version?

A: Yes. Open a terminal and run gh --version. If it shows a version lower than 2.83.0, you are vulnerable and should update immediately.

Q: Where can I find more information on these CVEs?

A: The most authoritative sources are the linked Red Hat Bugzilla entries: CVE-2025-58189 and CVE-2025-61725.

Conclusion: Secure Your System Today

In the realm of cybersecurity, vigilance is your first and best defense. The patched gh package for Fedora 43 directly addresses two vulnerabilities that threaten both data confidentiality and system availability. By following the update instructions provided, you are not only securing a single tool but fortifying a key node in your development ecosystem.

Call to Action: Do not delay. Open your terminal now and execute the update command to protect your system from these known threats. For ongoing security insights and Linux administration guides, consider bookmarking our site.