Impact
Capgo CLI before version 12.128.2 is vulnerable to an arbitrary file overwrite flaw in its login and build credential commands. The application follows symbolic links without validation, allowing an attacker who can place a malicious symlink inside a repository to overwrite any file that the CLI has write access to or to expose stored credentials by making them world‑readable. This weakness, identified as CWE‑59, can lead to unauthorized modification of application files or leakage of sensitive data, affecting the integrity and confidentiality of the build environment.
Affected Systems
Products affected are the Capgo CLI tool, any installation running a version earlier than 12.128.2. The vulnerability is triggered by local repository contents, meaning that any user running the CLI commands in a compromised repository is at risk. Users of the CLI on public or shared development repositories should check for unintended symlinks.
Risk and Exploitability
The CVSS score is 6.8, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, as an attacker needs to create a symlink within the repository and have a developer execute the CLI’s login or build commands. Because the flaw permits arbitrary file overwrite or credential exposure, the risk to a system is significant if an attacker gains access to write to repository files. Timely patching is advised to mitigate this risk.
OpenCVE Enrichment