GHSA-8mpm-q7mh-8fvh: Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)

March 18, 2026

The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.

References

github.com/Cap-go/CLI/commit/b8aa5ccbfad2d7f10f3cdbc00910d4a6aab026b2
github.com/Cap-go/capgo
github.com/Cap-go/capgo/security/advisories/GHSA-8mpm-q7mh-8fvh
github.com/advisories/GHSA-8mpm-q7mh-8fvh

Code Behaviors & Features

Detect and mitigate GHSA-8mpm-q7mh-8fvh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →