CVE-2025-11578: CWE-59 Improper Link Resolution Before File Access ('Link Following') in GitHub Enterprise Server
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.
AI Analysis
Technical Summary
CVE-2025-11578 is a vulnerability classified under CWE-59 (Improper Link Resolution Before File Access) affecting GitHub Enterprise Server versions 3.14 through 3.18. The flaw arises from insecure handling of symbolic links in the pre-receive hook environment, a mechanism used to enforce policies before accepting Git pushes. An authenticated enterprise admin can exploit this by creating a specially crafted repository and environment that triggers a symlink escape during the cleanup phase of pre-receive hooks. This escape allows the attacker to overwrite or replace critical system binaries on the server. By doing so, the attacker can execute arbitrary code with root privileges, specifically by adding their SSH public key to the root user’s authorized_keys file. This grants persistent root SSH access to the underlying appliance hosting GitHub Enterprise Server. The vulnerability requires high privileges (enterprise admin) and does not require user interaction, but the impact on confidentiality, integrity, and availability is severe. The issue was responsibly disclosed via GitHub’s Bug Bounty program and fixed in multiple patch releases starting with 3.14.19. The CVSS v4.0 score is 7.5, reflecting high severity with network attack vector, high privileges required, and no user interaction.
Potential Impact
For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk of full server compromise if exploited by a malicious insider or a threat actor who has obtained enterprise admin credentials. Root SSH access allows attackers to manipulate all data, configurations, and repositories hosted on the appliance, potentially leading to intellectual property theft, sabotage, or lateral movement within the corporate network. Given the critical role of GitHub Enterprise in software development pipelines, exploitation could disrupt development workflows and compromise the integrity of software supply chains. The risk is heightened in sectors with stringent compliance requirements such as finance, healthcare, and critical infrastructure, where unauthorized root access could lead to regulatory violations and severe reputational damage.
Mitigation Recommendations
European organizations should immediately verify their GitHub Enterprise Server versions and upgrade to the fixed releases (3.14.19, 3.15.14, 3.16.10, 3.17.7, or 3.18.1 and later). Restrict enterprise admin privileges strictly to trusted personnel and enforce multi-factor authentication to reduce the risk of credential compromise. Implement monitoring and alerting for unusual SSH key additions to root’s authorized_keys file and audit pre-receive hook configurations for unauthorized changes. Employ network segmentation to isolate GitHub Enterprise appliances from critical infrastructure and sensitive data stores. Regularly review and rotate SSH keys and credentials associated with administrative accounts. Consider deploying host-based intrusion detection systems (HIDS) to detect unauthorized file modifications. Finally, conduct internal security awareness training focused on the risks of privilege misuse and enforce the principle of least privilege across all administrative roles.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium, Poland, Finland
CVE-2025-11578: CWE-59 Improper Link Resolution Before File Access ('Link Following') in GitHub Enterprise Server
Description
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.
AI-Powered Analysis
Technical Analysis
CVE-2025-11578 is a vulnerability classified under CWE-59 (Improper Link Resolution Before File Access) affecting GitHub Enterprise Server versions 3.14 through 3.18. The flaw arises from insecure handling of symbolic links in the pre-receive hook environment, a mechanism used to enforce policies before accepting Git pushes. An authenticated enterprise admin can exploit this by creating a specially crafted repository and environment that triggers a symlink escape during the cleanup phase of pre-receive hooks. This escape allows the attacker to overwrite or replace critical system binaries on the server. By doing so, the attacker can execute arbitrary code with root privileges, specifically by adding their SSH public key to the root user’s authorized_keys file. This grants persistent root SSH access to the underlying appliance hosting GitHub Enterprise Server. The vulnerability requires high privileges (enterprise admin) and does not require user interaction, but the impact on confidentiality, integrity, and availability is severe. The issue was responsibly disclosed via GitHub’s Bug Bounty program and fixed in multiple patch releases starting with 3.14.19. The CVSS v4.0 score is 7.5, reflecting high severity with network attack vector, high privileges required, and no user interaction.
Potential Impact
For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk of full server compromise if exploited by a malicious insider or a threat actor who has obtained enterprise admin credentials. Root SSH access allows attackers to manipulate all data, configurations, and repositories hosted on the appliance, potentially leading to intellectual property theft, sabotage, or lateral movement within the corporate network. Given the critical role of GitHub Enterprise in software development pipelines, exploitation could disrupt development workflows and compromise the integrity of software supply chains. The risk is heightened in sectors with stringent compliance requirements such as finance, healthcare, and critical infrastructure, where unauthorized root access could lead to regulatory violations and severe reputational damage.
Mitigation Recommendations
European organizations should immediately verify their GitHub Enterprise Server versions and upgrade to the fixed releases (3.14.19, 3.15.14, 3.16.10, 3.17.7, or 3.18.1 and later). Restrict enterprise admin privileges strictly to trusted personnel and enforce multi-factor authentication to reduce the risk of credential compromise. Implement monitoring and alerting for unusual SSH key additions to root’s authorized_keys file and audit pre-receive hook configurations for unauthorized changes. Employ network segmentation to isolate GitHub Enterprise appliances from critical infrastructure and sensitive data stores. Regularly review and rotate SSH keys and credentials associated with administrative accounts. Consider deploying host-based intrusion detection systems (HIDS) to detect unauthorized file modifications. Finally, conduct internal security awareness training focused on the risks of privilege misuse and enforce the principle of least privilege across all administrative roles.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2025-10-10T07:00:07.064Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69126c0c6b3b7718db092a71
Added to database: 11/10/2025, 10:49:48 PM
Last enriched: 11/10/2025, 11:05:07 PM
Last updated: 11/11/2025, 1:59:28 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-42940: CWE-787: Out-of-bounds Write in SAP_SE SAP CommonCryptoLib
HighCVE-2025-42924: CWE-601: URL Redirection to Untrusted Site in SAP_SE SAP S/4HANA landscape (SAP E-Recruiting BSP)
MediumCVE-2025-42919: CWE-22: Improper Limitation of a Pathname to a Restricted Directory in SAP_SE SAP NetWeaver Application Server Java
MediumCVE-2025-42899: CWE-862: Missing Authorization in SAP_SE SAP S4CORE (Manage Journal Entries)
MediumCVE-2025-42897: CWE-522: Insufficiently Protected Credentials in SAP_SE SAP Business One (SLD)
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.