Code-hosting platform GitHub has rolled out patches for a distant code execution (RCE) vulnerability in a number of Enterprise Server variations.
Tracked as CVE-2025-3509 (CVSS rating of seven.1), the flaw may have allowed attackers to use the pre-receive hook performance to bind to ports which might be dynamically allotted and change into out there.
Exploitation of the flaw, GitHub says, is simply potential beneath particular operational situations, which means that the assault window is lowered.
“This vulnerability is simply exploitable beneath particular operational situations, comparable to through the scorching patching course of, and requires both website administrator permissions or a consumer with privileges to switch repositories containing pre-receive hooks,” GitHub explains.
An preliminary repair for the safety defect was discovered incomplete, permitting attackers to use the difficulty in sure circumstances, and a brand new patch was rolled out, the Microsoft-owned platform says.
Profitable exploitation of CVE-2025-3509 may have allowed attackers to execute arbitrary code and elevate their privileges, probably resulting in full system compromise.
In keeping with GitHub, all Enterprise Server releases prior to three.18 are affected. Fixes for the bug had been included in Enterprise Server variations 3.17.1, 3.16.4, 3.15.8, 3.14.13, and three.13.16, which had been rolled out final week.
GitHub says the vulnerability was reported by way of its bug bounty program and makes no point out of its in-the-wild exploitation.Commercial. Scroll to proceed studying.
Associated: Information Deleted From GitHub Repos Leak Invaluable Secrets and techniques
Associated: GitHub Patches Crucial Vulnerability in Enterprise Server
Associated: GitHub Actions Artifacts Leak Tokens and Expose Cloud Companies and Repositories
