Get details on our discovery of a critical vulnerability in GitHub Copilot Chat. TL;DR: In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links. The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely. Background GitHub Copilot Chat is an AI assistant built into GitHub that helps developers by answering questions, explaining code, and suggesting implementations directly in their workflow. Copilot Chat is context-aware: it can use information from the repository (such as code, commits, or pull requests) to provide tailored answers. As always, more context = more attack surface. Finding the prompt injection As mentioned earlier, GitHub Copilot is context-aware - so I set out to make it notice me. To do this, I embedded a prompt directed at Copilot inside a pull request description. But what’s the point if everyone can see it? Luckily, GitHub came to the rescue with a proper solution: invisible comments are an official feature! 🎉 You can find more details in their documentation: Hiding content with comments. By simply putting the content you want to hide inside: I tried the same prompt but this time as a hidden comment inside the PR description, and it worked! Interestingly, posting a hidden comment triggers the usual PR notification to the repo owner, but the content of the hidden comment isn’t revealed anywhere. I attempted logging in with a different user and visited the pull request page. The prompt was injected into my context as well! I then replaced the original “HOORAY” prompt with far more complex instructions, including code suggestions and Markdown rendering, and to my surprise, they worked flawlessly! For insta...
First seen: 2025-10-12 05:17
Last seen: 2025-10-12 19:19