Copilot CLI 1.0.43: RCE Fix & Server-Side Model Routing
Copilot CLI 1.0.43 patches a critical RCE vulnerability, adds server-side model routing for smarter auto mode, and fixes MCP process cleanup. Update now.
TL;DR
- Server-side model routing in auto mode for smarter real-time selection
- Critical RCE vulnerability patched for malicious bare repositories
- MCP server processes now fully cleaned up on session end
New
- Username toggle in /statusline picker — display the active account in the footer for multi-account workflows
- Server-side model routing — auto mode now uses backend logic for improved real-time model selection
- Download progress on updates — see progress when running the update command
Fixed
- Resume prompt now shows correct session name when multiple sessions are active
- MCP server child processes (started via npx or uvx) are fully terminated when a session ends, preventing orphaned processes
Breaking Changes
- RCE vulnerability (GHSA-9ccr-r5hg-74gf) — protection added against remote code execution from malicious bare repositories nested inside a project. Update immediately if you work with untrusted repositories.
Update: npm install -g @github/copilot-cli@latest or run copilot update
Source: Copilot CLI
