Indirect Prompt InjectionCritical

CamoLeak: private source-code exfiltration from GitHub Copilot Chat

October 2025  ·  GitHub Copilot Chat

What happened

Hidden prompts embedded in pull-request descriptions could steer Copilot Chat to leak source code and secrets from private repos. Exfiltration abused GitHub's own Camo image proxy, encoding stolen data as a sequence of pre-generated image requests (CVE-2025-59145, CVSS 9.6).

Root cause

Copilot acted on untrusted PR content as instructions, combined with a CSP bypass that allowed data egress through the trusted Camo image path.

Fix / outcome

GitHub disabled image rendering in Copilot Chat and blocked the Camo exfiltration path in mid-August 2025.

Sources

Legit Security writeup

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database