CamoLeak: GitHub Copilot Chat Exfiltrates Private Source Code via Hidden Markdown Instructions
Researchers demonstrated that hidden markdown instructions in pull requests could make GitHub Copilot Chat leak private source code and secrets one character at a time through GitHub's Camo image proxy; GitHub fixed it before disclosure with no known in-the-wild use.
What happened
CamoLeak (CVE-2025-59145, CVSS 9.6) was a critical vulnerability in GitHub Copilot Chat, demonstrated by Legit Security researcher Omer Mayraz and reported to GitHub via HackerOne. The CVE identifier was published after the initial October 2025 disclosure, so the earliest reporting did not cite it. Invisible markdown instructions embedded in a pull request or issue could cause Copilot Chat to read private source code and secrets from repositories the victim had access to, then encode them for exfiltration. The attacker pre-generated a dictionary of HMAC-signed URLs through GitHub's Camo image proxy, one per character, and instructed Copilot to render the stolen data as ASCII art made of images. As the victim's browser rendered the response, it fetched one Camo image per exfiltrated character, and the sequence of requests reconstructed the data on the attacker's server. Using GitHub's own signed Camo URLs sidestepped the Content Security Policy that would otherwise block external image requests. GitHub fixed the issue by disabling image rendering in Copilot Chat on August 14, 2025 and blocking Camo from serving this content, before the public disclosure in October 2025. This was a researcher demonstration; there is no evidence it was exploited in the wild.
What the agent did
When given the hidden instructions, Copilot Chat read private source code and secrets the victim could access and emitted a chat response containing attacker-supplied Camo image URLs that encoded that data. The victim's browser, not the agent itself, then fetched those images, exfiltrating the data one character per request.
The irreversible effect
In the researchers' demonstration, private source code and secrets from a victim's repositories could be reconstructed on an attacker-controlled server, one character at a time. GitHub fixed the flaw before public disclosure and reported no in-the-wild exploitation, so there was no confirmed real-world loss.
Root cause
GitHub Copilot Chat acted on instructions from untrusted input (hidden markdown in a pull request) without human approval, letting an attacker direct it to read private source code and secrets and surface them in its rendered output. Because the exfiltration rode on markdown image rendering through GitHub's own signed Camo URLs, it also evaded the Content Security Policy and standard network egress controls.
How a maker-checker control would have refused it
The exfiltration here rode on Copilot's rendered markdown output rather than an outbound tool call, so a network or outbound-fetch restriction would not have fired and is not claimed to block it. The defensible chokepoint is the read of private source code and secrets: under MakerChecker the secrets-read skill is marked high-risk and the proxy refuses it with 'high_risk_requires_gate', so the injected instruction to read secrets is stopped before any data can be encoded into a response, unless a named reviewer authorizes which secrets are read and why behind a preceding approval gate.
Runnable reproduction
This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.
examples/camoleak-github-copilot-chat-source-code-exfiltration
Accuracy and corrections
This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.
See it for yourself
Reading is one thing. Watch it block an agent.
One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.
Designed against the rules your auditors already enforce.