CamoLeak: Copilot Chat exploit

GitHub Copilot Chat could be tricked into leaking private code and secrets from repositories a user was allowed to access. (legitsecurity.com) Copilot Chat works by reading repository context — code, pull requests, issues and commits — so it can answer questions inside GitHub and editors. GitHub added image input to Copilot Chat in public preview on March 6, 2025, expanding the kinds of content the assistant could process. (github.blog) Legit Security researcher Omer Mayraz said he found the flaw in June 2025 and reported it through HackerOne. His write-up said GitHub fixed it by August 14, 2025, by disabling image rendering in Copilot Chat. (legitsecurity.com) (bankinfosecurity.com) The attack started with a hidden instruction inside a pull request description, using an invisible comment that human reviewers would not see in the rendered page. When another user later asked Copilot Chat to explain or summarize that pull request, the assistant still read the hidden text and followed the attacker’s directions. (legitsecurity.com) (nudgesecurity.com) That kind of attack is called indirect prompt injection: the model absorbs hostile instructions from outside content instead of from the user typing in chat. GitHub warned in an August 25, 2025 security post that poisoned chat context can expose tokens, confidential files or trigger sensitive actions without explicit user consent. (github.blog) Mayraz said the second step used GitHub’s Camo image proxy, which rewrites outside image links into GitHub-hosted signed URLs that pass the site’s content security rules. The exploit encoded private data into sequences of image requests so the victim’s browser sent the data out while appearing to load ordinary images. (nudgesecurity.com) (legitsecurity.com) The researcher said Copilot Chat ran with the permissions of the signed-in user, so the model could reach private repositories, issue text and secrets that user could already see. The reported impact included source code, application programming interface keys, cloud credentials and unpublished vulnerability details. (legitsecurity.com) (theregister.com) The same injected prompt could also steer Copilot’s answers, including recommending a malicious package name or unsafe links in the middle of a normal coding session. Nudge Security said teams should hunt for hidden comments, unusual image references and Camo-related artifacts in pull requests and issues. (legitsecurity.com) (nudgesecurity.com) One detail remains muddy: several reports label the flaw as CVE-2025-59145, but GitHub’s public advisory database uses that identifier for an unrelated compromise of the npm package color-name. That leaves the exploit chain, the August 2025 fix and the defensive lesson clearer than the public CVE labeling. (github.com) (thearabianpost.com)