GitHub Copilot CLI shell expansion bypass enables arbitrary code execution

TL;DR — A bash parameter expansion bypass in GitHub Copilot CLI tricks the shell safety assessment into approving dangerous commands, enabling arbitrary code execution.

What happened

GitHub Copilot CLI is a command-line tool that translates natural language into shell commands using AI. GitHub published a security advisory for Copilot CLI describing a vulnerability where bash parameter expansion patterns can trick the "shell safety assessment" into classifying dangerous commands as read-only. Patterns like ${var@P}, ${var:=value}, and nested $(cmd) inside ${...} can embed hidden execution in seemingly harmless commands.

The advisory includes a proof-of-concept where an innocent-looking echo command executes touch /tmp/pwned through chained parameter expansion:

echo ${a="$"}${b="$a(touch /tmp/pwned)"}${b@P}

This is particularly concerning because the attack surface includes prompt injection — malicious content in repository READMEs, code comments, issue bodies, or compromised MCP server responses could craft commands that bypass safety checks.

Who is impacted

• GitHub Copilot CLI versions <= 0.0.422.
• Risk scenarios include operating in untrusted repos, with untrusted MCP servers, or with crafted user instructions.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Treat Copilot CLI shell suggestions as potentially attacker-influenced when operating in untrusted repos or with untrusted MCP servers.
• If running older versions, avoid executing agent-suggested commands containing complex ${...} expansions or suspicious operators like @P, :=, !, or embedded $(...) / <(...).