Critical Vulnerabilities Discovered in GitHub Enterprise Server
GitHub has released urgent security updates for its Enterprise Server product after identifying several high-risk vulnerabilities. Among them, CVE-2025-3509 stands out as the most critical, allowing attackers to execute arbitrary code and gain full control over affected systems.
These vulnerabilities impact versions from 3.13.0 to 3.16.1. GitHub has promptly addressed the issues by releasing patched versions (3.13.14, 3.14.11, 3.15.6, and 3.16.2) and strongly recommends that users upgrade immediately.
The most severe flaw — CVE-2025-3509 — enables Remote Code Execution (RCE) through temporary ports that open during the “hot patch” process, where updates are applied without restarting the system.
If an attacker has site administrator rights or permission to modify repositories, they can exploit these transient ports to gain full system access. However, this vulnerability can only be exploited during the limited time frame of a hot patch operation.
A medium-severity vulnerability — CVE-2025-3124 — allows unauthorized users to view the names of private repositories in the GitHub Advanced Security Overview section.
This occurs due to insufficient authorization checks when using the archived: filter. While the actual repository contents remain protected, the exposure of repository names could help attackers target sensitive projects more effectively.
Another critical vulnerability — CVE-2025-3246 — allows attackers to inject malicious HTML or CSS into mathematical Markdown blocks (formatted as $$..$$). This can lead to cross-site scripting (XSS) attacks.
Such attacks require the victim to interact with the malicious content within the target instance. In response, GitHub has enhanced input sanitization and strengthened safeguards for rendering math-related elements.
Affected Versions:
- 3.13.0 – 3.13.13 (fixed in 3.13.14)
- 3.14.0 – 3.14.10 (fixed in 3.14.11)
- 3.15.0 – 3.15.5 (fixed in 3.15.6)
- 3.16.0 – 3.16.1 (fixed in 3.16.2)
GitHub urges all users to upgrade to the latest patched versions without delay. Additionally, administrators should re-evaluate user permissions and closely monitor unusual activity — particularly during hot patch deployments.
These vulnerabilities pose a serious threat to the security of GitHub Enterprise Server. Although GitHub has not reported any active exploitation to date, the complexity and potential impact of the flaws make proactive mitigation essential.
The issues were discovered through GitHub’s Bug Bounty program, once again demonstrating the value of community-driven security efforts. For organizations, this serves as a reminder of the critical importance of strict access control and timely patch management in DevOps environments.
