GitHub Copilot Chat Vulnerability Allows Data Exfiltration via CamoLeak

Severity: High (Score: 66.0)

Sources: Gbhackers, Cybersecuritynews

Summary

A high-severity vulnerability in GitHub Copilot Chat, tracked as CVE-2025-59145, was disclosed on April 10, 2026. This flaw, with a CVSS score of 9.6, enabled attackers to exfiltrate sensitive data from private repositories without executing malicious code. The attack method involved a prompt injection technique known as 'CamoLeak,' allowing the theft of source code, API keys, and cloud secrets. Organizations using GitHub Copilot Chat are at risk, as the vulnerability affects the integrity of their private data. The flaw was publicly disclosed by a security researcher, raising awareness of the potential exploitation. As of now, no patches have been reported to mitigate this vulnerability. Security teams are urged to assess their use of GitHub Copilot and monitor for any suspicious activity. The vulnerability was published on September 15, 2025, but its exploitation has only recently come to light. Key Points: • CVE-2025-59145 has a critical CVSS score of 9.6, indicating high severity. • The vulnerability allows data exfiltration without malicious code execution. • The attack method involves prompt injection known as 'CamoLeak.'

Key Entities

• Data Breach (attack_type)
• CVE-2025-59145 (cve)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• GitHub Copilot Chat (platform)
• CamoLeak (vulnerability)