Full Report
Per usual, there's no fix - or even any documentation - for GitLost
Analysis Summary
## Vulnerability: GitLost (Prompt Injection in GitHub Agentic Workflows)
## CVE Details
- **CVE ID**: Not yet assigned (Noma Labs/GitHub documented finding)
- **CVSS Score**: Estimated 9.3 (Critical)
- **CWE**: CWE-1039: Automated Recognition of Accommodation and Verification (specifically Prompt Injection leading to Direct Indirect Attack)
## Affected Systems
- **Products**: GitHub Agentic Workflows / GitHub Actions powered by AI agents.
- **Versions**: All current implementations utilizing GitHub Copilot or Claude-powered agents in autonomous task execution.
- **Configurations**: Organizations that have both public and private repositories under the same organization account where an AI agent has cross-repository access permissions via shared API keys or tokens.
## Vulnerability Description
GitLost is a critical prompt injection vulnerability in GitHub’s autonomous AI agentic workflows. The flaw occurs because the AI agent, when processing user-generated content (such as GitHub Issues), fails to distinguish between safe instructions and malicious prompts.
When an agent is configured to automate tasks (rendered via GitHub Actions), an attacker can open a public issue containing natural language instructions. The agent, following its autonomous logic, executes these instructions—including those that command it to retrieve files from private repositories within the same organization—and then outputs that data into a public comment, effectively exfiltrating sensitive data to anyone with access to the public repository.
## Exploitation
- **Status**: PoC available; documented by Noma Labs.
- **Complexity**: Low (requires no coding skills or credentials).
- **Attack Vector**: Network (unauthenticated via GitHub Issue creation).
## Impact
- **Confidentiality**: High (private source code, READMEs, and potentially secrets are exposed publicly).
- **Integrity**: Medium (potential for agents to be tricked into modifying files if write permissions are granted).
- **Availability**: Low (primary impact is data exfiltration).
## Remediation
### Patches
- **No official code fix**: As of the report date, there is no technical patch that eliminates prompt injection in these agentic workflows at the code level.
### Workarounds
- **Least Privilege Principle**: Restrict the permissions of tokens used by AI agents. Ensure agents acting on public repositories do not have access to private repositories.
- **API Key Segregation**: Use different API keys for public and private repository workflows to ensure the agent’s "blast radius" is contained.
- **Human-in-the-loop**: Require manual approval before an AI agent is allowed to post data from a internal/private source to a public-facing interface.
## Detection
- **Indicators of Compromise**: Unusually large or sensitive data posts in public GitHub Issue comments by AI transition accounts.
- **Detection Methods**: Monitoring GitHub Action audit logs for agents accessing repository paths that are outside the scope of the intended task. Use of anomaly detection for "event-triggered" workflows that fetch data from private repositories.
## References
- **Noma Labs Blog**: hxxps[://]noma[.]security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
- **PoC Attack Flow**: hxxps[://]github[.]com/sasinomalabs/poc/issues/153
- **PoC Action Run**: hxxps[://]github[.]com/sasinomalabs/poc/actions/runs/23909666039