HIGH Patch Available

GitHub Copilot 'Leaky Previews' Exposes Inter-Tenant Prompt and Completion Data

Discovered 18 June 2025 0 views

Overview

A serious information disclosure vulnerability was discovered in the GitHub Copilot service, allowing one user to view the prompts and code completions of another. The vulnerability, which was active for a limited time, stemmed from a race condition and caching issue in the backend infrastructure that processed Copilot requests. Under specific circumstances, when multiple users were making requests simultaneously, the service could incorrectly route and cache the response, causing User A's IDE to display a code suggestion intended for User B. The exposed data included any code, comments, or other text being written by the victim in their editor that was sent to the Copilot service for completion. This could include proprietary source code, API keys, credentials, PII, and other sensitive information. The issue was not consistently reproducible but was observed and reported by multiple users who noticed they were receiving highly irrelevant and unusual suggestions that clearly originated from another user's context. The incident highlighted the significant data privacy risks associated with cloud-connected AI coding assistants and the challenges of maintaining strict data isolation in large, multi-tenant AI services. GitHub quickly acknowledged the issue, disabled the affected caching layer, and implemented a permanent fix to prevent recurrence.

Affected Systems

GitHub Copilot

Testing Guide

1. **Check Exposure Window**: This vulnerability was transient and patched on the backend. There is no direct way for a user to test if they were affected. 2. **Review Public Disclosures**: Check GitHub's official blog and security advisories for the specific dates of the incident to determine if you were using the service during that time. 3. **Monitor for Anomalous Suggestions**: While the specific issue is patched, being vigilant for code suggestions that are completely out of context for your current work can be a general indicator of potential problems.

Mitigation Steps

1. **Client-Side Action**: No client-side mitigation was possible. The vulnerability was on the GitHub Copilot backend service. 2. **Review Code**: If you were using Copilot during the exposure window, review your recent code for any sensitive information that may have been inadvertently transmitted. 3. **Rotate Credentials**: As a precautionary measure, rotate any secrets or credentials that might have been present in code sent to the Copilot service. 4. **Use Content Exclusions**: Configure GitHub Copilot's content exclusion settings to prevent it from accessing and sending sensitive files or directories to the service.

Patch Details

The vulnerability was patched by GitHub on their backend services. No user action or extension update was required.

Sources

https://github.blog/2023-03-24-a-small-number-of-users-may-have-seen-code-suggestions-from-other-users-in-github-copilot/

← Back to vulnerabilities