CVE-2025-3509: CWE-94 Improper Control of Generation of Code ('Code Injection') in GitHub Enterprise Server
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, 3.13.16. This vulnerability was reported via the GitHub Bug Bounty program.
AI Analysis
Technical Summary
CVE-2025-3509 is a high-severity Remote Code Execution (RCE) vulnerability affecting GitHub Enterprise Server versions prior to 3.18, specifically versions 3.13.0 through 3.17.0. The vulnerability stems from improper control over code generation (CWE-94) within the pre-receive hook functionality. Pre-receive hooks are scripts that run on the server side during Git operations, allowing custom validation or actions before code is accepted into a repository. This vulnerability allows an attacker to execute arbitrary code remotely by exploiting the dynamic allocation of ports during specific operational conditions, such as hot patch upgrades, when ports temporarily become available. The attack window is limited to these specific conditions, reducing the overall exploitability timeframe. To exploit this vulnerability, an attacker must have elevated privileges: either site administrator permissions to enable and configure pre-receive hooks or repository modification permissions where pre-receive hooks are already enabled. Successful exploitation can lead to privilege escalation and full system compromise of the GitHub Enterprise Server instance. The vulnerability was responsibly disclosed through the GitHub Bug Bounty program and fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, and 3.13.16. The CVSS v4.0 score is 7.1 (high), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and significant impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential impact on critical development infrastructure is substantial if exploited.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for enterprises relying on GitHub Enterprise Server for internal software development and code management. Exploitation could lead to unauthorized code execution on critical infrastructure, resulting in data breaches, intellectual property theft, and disruption of software development pipelines. Given the central role of GitHub Enterprise Server in DevOps workflows, a successful attack could compromise the integrity of source code, inject malicious code into production software, and cause widespread operational disruption. This risk is heightened for organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where code integrity and availability are paramount. Additionally, the potential for privilege escalation means attackers could gain persistent access to sensitive systems, increasing the risk of lateral movement and further compromise within corporate networks. The limited attack window reduces but does not eliminate risk, necessitating prompt patching and monitoring.
Mitigation Recommendations
1. Immediate upgrade of all GitHub Enterprise Server instances to the fixed versions (3.17.1, 3.16.4, 3.15.8, 3.14.13, or 3.13.16) to eliminate the vulnerability. 2. Restrict pre-receive hook configuration permissions strictly to trusted site administrators and audit all existing pre-receive hooks for suspicious or unauthorized scripts. 3. Implement network segmentation and firewall rules to limit exposure of dynamically allocated ports during hot patch upgrades, minimizing the attack surface during vulnerable operational states. 4. Monitor logs for unusual activity related to pre-receive hook execution and port usage during upgrade windows. 5. Employ strict access controls and multi-factor authentication for site administrators and repository maintainers to reduce the risk of privilege abuse. 6. Conduct regular security reviews of DevOps infrastructure and integrate vulnerability scanning for GitHub Enterprise Server versions as part of patch management processes. 7. Consider temporary disabling of pre-receive hooks during upgrade windows if operationally feasible to eliminate the attack vector during the limited exposure period.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain
CVE-2025-3509: CWE-94 Improper Control of Generation of Code ('Code Injection') in GitHub Enterprise Server
Description
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, 3.13.16. This vulnerability was reported via the GitHub Bug Bounty program.
AI-Powered Analysis
Technical Analysis
CVE-2025-3509 is a high-severity Remote Code Execution (RCE) vulnerability affecting GitHub Enterprise Server versions prior to 3.18, specifically versions 3.13.0 through 3.17.0. The vulnerability stems from improper control over code generation (CWE-94) within the pre-receive hook functionality. Pre-receive hooks are scripts that run on the server side during Git operations, allowing custom validation or actions before code is accepted into a repository. This vulnerability allows an attacker to execute arbitrary code remotely by exploiting the dynamic allocation of ports during specific operational conditions, such as hot patch upgrades, when ports temporarily become available. The attack window is limited to these specific conditions, reducing the overall exploitability timeframe. To exploit this vulnerability, an attacker must have elevated privileges: either site administrator permissions to enable and configure pre-receive hooks or repository modification permissions where pre-receive hooks are already enabled. Successful exploitation can lead to privilege escalation and full system compromise of the GitHub Enterprise Server instance. The vulnerability was responsibly disclosed through the GitHub Bug Bounty program and fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, and 3.13.16. The CVSS v4.0 score is 7.1 (high), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and significant impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential impact on critical development infrastructure is substantial if exploited.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for enterprises relying on GitHub Enterprise Server for internal software development and code management. Exploitation could lead to unauthorized code execution on critical infrastructure, resulting in data breaches, intellectual property theft, and disruption of software development pipelines. Given the central role of GitHub Enterprise Server in DevOps workflows, a successful attack could compromise the integrity of source code, inject malicious code into production software, and cause widespread operational disruption. This risk is heightened for organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where code integrity and availability are paramount. Additionally, the potential for privilege escalation means attackers could gain persistent access to sensitive systems, increasing the risk of lateral movement and further compromise within corporate networks. The limited attack window reduces but does not eliminate risk, necessitating prompt patching and monitoring.
Mitigation Recommendations
1. Immediate upgrade of all GitHub Enterprise Server instances to the fixed versions (3.17.1, 3.16.4, 3.15.8, 3.14.13, or 3.13.16) to eliminate the vulnerability. 2. Restrict pre-receive hook configuration permissions strictly to trusted site administrators and audit all existing pre-receive hooks for suspicious or unauthorized scripts. 3. Implement network segmentation and firewall rules to limit exposure of dynamically allocated ports during hot patch upgrades, minimizing the attack surface during vulnerable operational states. 4. Monitor logs for unusual activity related to pre-receive hook execution and port usage during upgrade windows. 5. Employ strict access controls and multi-factor authentication for site administrators and repository maintainers to reduce the risk of privilege abuse. 6. Conduct regular security reviews of DevOps infrastructure and integrate vulnerability scanning for GitHub Enterprise Server versions as part of patch management processes. 7. Consider temporary disabling of pre-receive hooks during upgrade windows if operationally feasible to eliminate the attack vector during the limited exposure period.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2025-04-10T20:02:13.657Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68532cb833c7acc04607adfb
Added to database: 6/18/2025, 9:16:40 PM
Last enriched: 6/18/2025, 9:31:39 PM
Last updated: 8/14/2025, 10:52:07 AM
Views: 30
Related Threats
CVE-2025-38738: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Home PCs
MediumCVE-2025-36612: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Business PCs
MediumCVE-2025-9041: CWE-1287: Improper Validation of Specified Type of Input in Rockwell Automation FLEX 5000 I/O
HighCVE-2025-43983: n/a
UnknownCVE-2025-9042: CWE-1287: Improper Validation of Specified Type of Input in Rockwell Automation FLEX 5000 I/O
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.