GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository …

GitHub CLI prior to version 2.93.0 incorrectly includes authorization headers in API requests to TUF repository mirrors. The vulnerability affects gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with faulty host detection logic that collapses *.github.com subdomains to github.com, causing tokens to be sent to unauthorized hosts. This results in GitHub tokens being leaked to external services including tuf-repo.github.com, tuf-repo-cdn.sigstore.dev, and Azure Blob Storage. The issue stems from inadequate host normalization logic in the authentication layer. The vulnerability is fixed in GitHub CLI version 2.93.0.