GitHub Copilot Zero-Click CamoLeak Exposed: CVE-2025-59145 (CVSS 9.6) Allowed Silent Data Theft from Private Repos

by ddos · October 13, 2025

In June 2025, a researcher operating under the pseudonym rick disclosed a critical vulnerability in GitHub Copilot dubbed CamoLeak, rated CVSS 9.6. The flaw enabled an attacker to surreptitiously exfiltrate sensitive information and source code from private repositories and to hijack Copilot’s responses by injecting malicious code fragments or links.

GitHub Copilot is integrated into the GitHub UI and leverages repository context — commits, pull requests, files — to craft more accurate suggestions. It was precisely this contextual awareness that became the vector for abuse. Researchers at Legit Security discovered that hidden HTML comments in a pull-request description — a GitHub-supported feature — could carry covert prompts. These comments are ingested by Copilot yet remain unseen by ordinary users.

Worse, those stealth prompts propagate into Copilot’s context for other users who view the pull request, expanding the attack surface. This allowed an attacker to coerce Copilot, operating with the victim’s privileges, to exfiltrate data from the victim’s private repositories by encoding it in base16 and embedding it within URLs.

GitHub enforces a strict Content Security Policy (CSP) that forbids loading images from arbitrary external hosts. Nonetheless, the platform proxies all externally referenced images through its own Camo service, rewriting Markdown image URLs to camo.githubusercontent.com and appending a cryptographic signature. The researcher exploited that very mechanism by building an image lexicon — mapping each ASCII character to a distinct Camo URL. Each URL pointed to a tiny, transparent pixel served from the attacker’s server. By composing prompts as ASCII art composed of those images, Copilot was tricked into “drawing” the victim’s source data as a sequence of characters conveyed through Camo, thereby evading CSP. Cache-busting was achieved by appending a random query parameter so Copilot fetched each image anew.

In a proof-of-concept, the researcher demonstrated theft of a zero-day description from a private issue and an automated scan that located AWS keys within the victim’s codebase; all exfiltrated strings were transmitted via Camo links. The victim needed only to open the pull request page — no malicious code execution or link-clicking was required.

GitHub closed the vulnerability on August 14, 2025, temporarily mitigating the risk by disabling image rendering within Copilot.