Copilot Chat 'CamoLeak' flaw

GitHub Copilot Chat is supposed to be a coding assistant that reads the same repository context you can read and answers questions inside GitHub. In CamoLeak, that “helpful coworker” behavior turned into a courier that could carry private code and secrets out of a company repo without malware ever running on the developer’s machine. (legitsecurity.com) The trick started with prompt injection, which is when an attacker hides instructions for an artificial intelligence model inside content the model is allowed to read. In this case, researcher Omer Mayraz said Copilot Chat could pick up attacker-written instructions from a pull request description and follow them while answering another user. (legitsecurity.com) A pull request is the page developers use to propose code changes and discuss them before merging. GitHub supports Markdown formatting on those pages, and hidden comment syntax can make text invisible in the rendered view even though it still exists in the underlying content Copilot reads. (docs.github.com) (legitsecurity.com) That meant an attacker could leave instructions in a pull request that a human reviewer would not notice on the page. Mayraz’s write-up says even a different user who later asked Copilot to explain the pull request could inherit those hidden instructions in the chat context. (legitsecurity.com) The next piece was permissions. Copilot Chat answers with the same access rights as the person asking the question, so if an engineer had access to a private repository, Copilot could read that private code to help them. (legitsecurity.com) CamoLeak turned that access into exfiltration, which is the security term for quietly moving data out. The researcher says the injected prompt told Copilot to read private repository content, encode it as base16 text, and place it inside a web link so the data would leave when the victim clicked. (legitsecurity.com) A content security policy is supposed to act like a building’s exit list by limiting which outside resources a web page can load. The reported bypass used GitHub’s own Camo image proxy, a service that fetches and rewrites external images, to sneak data through a channel the page already trusted. (mintmcp.com) (blackfog.com) That is why the bug landed at Common Vulnerability Scoring System 9.6, which sits near the top of the severity scale. Reports on the disclosure say the flaw could expose source code, application programming interface keys, cloud credentials, and other secrets from private repositories used by companies. (legitsecurity.com) (cyberpress.org) The timeline matters here. Mayraz says he found the issue in June 2025, reported it through HackerOne, and GitHub fixed it in August 2025 by disabling image rendering in Copilot Chat before the public disclosure in October 2025. (legitsecurity.com) (vpncentral.com) The uncomfortable lesson is that an artificial intelligence coding tool does not need to “hack” a repository if it already has permission to read one. Once a chat assistant can see pull requests, private code, and outbound links in the same workflow, a hidden sentence in the wrong place can turn normal developer convenience into a data leak path. (legitsecurity.com)