Camoleak Critical Github Copilot Vulnerability Leaks Private Source Code A critical vulnerability in github copilot chat, dubbed “camoleak,” allowed attackers to silently steal source code and secrets from private repositories using a sophisticated prompt injection technique. the flaw, which carried a cvss score of 9.6, has since been patched by github. A github copilot chat bug let attackers steal private code via prompt injection. learn how camoleak worked and how to defend against ai risks.
Camoleak Critical Github Copilot Vulnerability Leaks Private Source Code Camoleak exploited that behavior by hiding malicious instructions inside pull request descriptions using github’s own invisible markdown comment syntax. these comments are never displayed in the standard web interface, but copilot ingests them as raw context and treats them as legitimate instructions. Introduction: ai powered coding assistants like github copilot boost developer productivity but introduce a dangerous attack surface: prompt injection. the recently disclosed cve 2025 59145 (cvss 9.6), dubbed “camoleak,” allowed attackers to silently exfiltrate sensitive data—including api keys, tokens, and proprietary source code—by tricking copilot chat into rendering malicious. We've written about silent exfiltration through model output as a theoretical attack class. camoleak is the first documented case of it working against a production ai coding tool, using a novel encoding technique that bypasses content security policies by design. A critical vulnerability in github copilot chat (”camoleak”) allowed attackers to silently exfiltrate private repository content and secrets and to steer copilot’s responses to suggest malicious packages links.
Camoleak Critical Github Copilot Vulnerability Leaks Private Source Code We've written about silent exfiltration through model output as a theoretical attack class. camoleak is the first documented case of it working against a production ai coding tool, using a novel encoding technique that bypasses content security policies by design. A critical vulnerability in github copilot chat (”camoleak”) allowed attackers to silently exfiltrate private repository content and secrets and to steer copilot’s responses to suggest malicious packages links. Cybersecurity researchers have discovered a critical flaw in github copilot chat, dubbed “camoleak,” that could let attackers manipulate the ai assistant into secretly leaking sensitive user. Tracked as cve 2025 59145 with a near perfect cvss score of 9.6, the flaw enabled the theft of source code, api keys, and cloud secrets without requiring the execution of any malicious code. dubbed “camoleak,” this exploit highlights a growing threat in ai assisted development. Github copilot chat was quietly turned into an exfiltration channel by a newly disclosed flaw, dubbed camoleak, that let attackers hide prompts in pull. In june 2025, i found a critical vulnerability in github copilot chat (cvss 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over copilot’s responses, including suggesting malicious code or links.
Comments are closed.