An alarming vulnerability in GitHub Copilot Chat has been disclosed, revealing how attackers could covertly extract sensitive information from private repositories. This flaw, identified as CVE-2025-59145, carries a near-maximum CVSS score of 9.6, indicating its critical nature. It facilitated the unauthorized acquisition of source code, API keys, and cloud secrets without the need for executing malicious software.
The Emergence of CamoLeak
Known as ‘CamoLeak,’ this exploit underscores the increasing risks associated with AI-supported development environments. The vulnerability was publicly announced by a security researcher in October 2025, following GitHub’s August 2025 patch that aimed to neutralize the threat by disabling certain image rendering features in Copilot Chat.
GitHub Copilot Chat, a tool for reviewing pull requests, was exploited through its markdown comment syntax, which attackers used to conceal harmful instructions. These comments, invisible to human reviewers, were nevertheless processed by Copilot, misinterpreting them as legitimate commands.
Mechanics of the CamoLeak Exploit
The CamoLeak exploit operated through a four-phase attack. Initially, the attacker introduced a pull request (PR) embedded with hidden instructions. When a developer with access to private repositories requested a review from Copilot, they inadvertently activated the hidden commands.
The instructions directed Copilot to search the codebase for sensitive information, such as AWS keys, encoding this data in base16 and embedding it into pre-signed image URLs. As the victim’s browser loaded these images, the encoded data was transmitted back to the attacker’s server, reconstructing the information character by character.
Bypassing Security Measures
A notable feature of CamoLeak was its ability to circumvent GitHub’s Content Security Policy (CSP), which usually prevents data leakage by blocking images from untrusted sources. The attackers cleverly bypassed this by using a pre-computed dictionary of valid, signed addresses for GitHub’s Camo image proxy.
These addresses pointed to transparent 1×1 pixel images hosted on the attacker’s server, appearing as legitimate network traffic due to their routing through GitHub’s infrastructure. This sophisticated technique allowed the attack to evade standard network security measures.
While CamoLeak specifically targeted GitHub, the broader implications extend to any AI assistant with significant access permissions, such as Microsoft 365 Copilot or Google Gemini. The potential for untrusted content to manipulate AI instructions highlights the need for robust defenses against covert data exfiltration.
Cybersecurity experts emphasize the importance of evolving security strategies, focusing on endpoint protection to disrupt the attack chain. Solutions like BlackFog’s ADX platform offer proactive monitoring of outbound traffic, blocking unauthorized data transfers initiated by attackers or compromised AI systems.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Reach out to share your cybersecurity stories.
