CVE-2025-11578 is a privilege escalation vulnerability classified under CWE-59 (Improper Link Resolution Before File Access, also known as 'Link Following') affecting GitHub Enterprise Server versions 3.14 through 3.18. The flaw arises in the handling of symbolic links within the pre-receive hook environment, a critical part of Git operations that run scripts before accepting pushed commits. An authenticated enterprise admin can craft a malicious repository and hook environment that exploits a symlink escape during the cleanup phase of the pre-receive hook. This escape enables the attacker to replace system binaries with malicious payloads. Upon execution, the payload adds the attacker’s SSH public key to the root user’s authorized_keys file, granting persistent root SSH access to the appliance. The attack requires enterprise admin privileges, which limits the initial attack surface but significantly elevates risk due to the high level of access gained. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program and patched in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, and 3.18.2. The CVSS 4.0 score is 7.5 (high), reflecting network attack vector, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported, but the potential for root compromise makes this a critical patching priority for affected organizations.

For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk of full system compromise if exploited. Root SSH access to the server allows attackers to manipulate repositories, inject malicious code, exfiltrate sensitive intellectual property, and disrupt development workflows. Given GitHub Enterprise Server’s role in managing source code and CI/CD pipelines, a successful attack could lead to widespread supply chain risks and operational downtime. The requirement for enterprise admin privileges reduces the likelihood of external attackers exploiting this directly but raises concerns about insider threats or compromised admin accounts. Organizations in sectors with stringent data protection regulations, such as finance, healthcare, and critical infrastructure, face heightened risks of regulatory non-compliance and reputational damage if this vulnerability is exploited. Additionally, the ability to persistently maintain root access could facilitate long-term espionage or sabotage campaigns targeting European enterprises.

European organizations should immediately verify their GitHub Enterprise Server version and apply the patches released in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, or 3.18.2. If patching is not immediately feasible, restrict enterprise admin privileges to the minimum number of trusted personnel and enforce strong multi-factor authentication to reduce the risk of credential compromise. Implement rigorous monitoring of SSH authorized_keys files and system binaries for unauthorized changes. Conduct regular audits of pre-receive hook scripts and repository contents for suspicious symlink usage. Employ network segmentation to isolate GitHub Enterprise Servers from broader enterprise networks to limit lateral movement in case of compromise. Finally, maintain comprehensive logging and alerting on administrative actions within GitHub Enterprise Server to detect anomalous behavior promptly.