CVE-2025-6981: CWE-863 Incorrect Authorization in GitHub Enterprise Server
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
AI Analysis
Technical Summary
CVE-2025-6981 is an authorization vulnerability identified in GitHub Enterprise Server versions prior to 3.18, specifically affecting versions 3.14.0, 3.15.0, 3.16.0, and 3.17.0. The flaw arises from incorrect authorization checks related to the Contractors API feature, which is a rarely-enabled, private preview functionality designed to facilitate contractor access management. Due to improper enforcement of access controls, contractor accounts could gain unauthorized read access to internal repositories that should have been restricted. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system fails to properly restrict access to resources based on user privileges. The vulnerability has a CVSS v4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that exploitation requires network access (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and results in low confidentiality impact (VC:L) without affecting integrity or availability. No known exploits are reported in the wild as of the publication date (July 15, 2025). The issue was addressed in GitHub Enterprise Server versions 3.14.15, 3.15.10, 3.16.6, and 3.17.3, which include patches to correct the authorization logic. This vulnerability is particularly relevant for organizations using GitHub Enterprise Server with the Contractors API feature enabled, as it could lead to unauthorized disclosure of sensitive internal code repositories to contractor accounts, potentially exposing proprietary or confidential information.
Potential Impact
For European organizations, the impact of CVE-2025-6981 can be significant, especially for those relying on GitHub Enterprise Server to manage internal software development and collaboration. Unauthorized read access to internal repositories could lead to exposure of intellectual property, sensitive business logic, or confidential data embedded in codebases. This exposure risks competitive disadvantage, regulatory non-compliance (e.g., GDPR concerns if personal data is embedded in repositories), and potential facilitation of further attacks by adversaries leveraging leaked information. Since the vulnerability requires only low privileges and no user interaction, an attacker with contractor-level access could exploit this flaw remotely over the network, increasing the risk of insider threats or compromised contractor accounts being leveraged. Although the Contractors API is rarely enabled, organizations that do use this feature must consider the risk of unauthorized data disclosure. The medium severity rating suggests that while the vulnerability is not critical, the confidentiality impact and ease of exploitation warrant prompt remediation to prevent data leakage and maintain trust in software supply chains.
Mitigation Recommendations
European organizations should immediately verify whether the Contractors API feature is enabled in their GitHub Enterprise Server deployments. If enabled, they must prioritize upgrading to patched versions 3.14.15, 3.15.10, 3.16.6, or 3.17.3 or later to remediate the vulnerability. In addition, organizations should audit contractor accounts and their access permissions to ensure no excessive privileges are granted. Implement strict access control policies and monitor repository access logs for unusual read activity, especially from contractor accounts. Employ network segmentation and zero-trust principles to limit access scope for contractors. If upgrading is not immediately feasible, consider disabling the Contractors API feature temporarily to mitigate risk. Regularly review GitHub Enterprise Server configurations and apply security updates promptly. Finally, conduct security awareness training for administrators and contractors about the risks of unauthorized access and the importance of credential security.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2025-6981: CWE-863 Incorrect Authorization in GitHub Enterprise Server
Description
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
AI-Powered Analysis
Technical Analysis
CVE-2025-6981 is an authorization vulnerability identified in GitHub Enterprise Server versions prior to 3.18, specifically affecting versions 3.14.0, 3.15.0, 3.16.0, and 3.17.0. The flaw arises from incorrect authorization checks related to the Contractors API feature, which is a rarely-enabled, private preview functionality designed to facilitate contractor access management. Due to improper enforcement of access controls, contractor accounts could gain unauthorized read access to internal repositories that should have been restricted. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system fails to properly restrict access to resources based on user privileges. The vulnerability has a CVSS v4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that exploitation requires network access (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and results in low confidentiality impact (VC:L) without affecting integrity or availability. No known exploits are reported in the wild as of the publication date (July 15, 2025). The issue was addressed in GitHub Enterprise Server versions 3.14.15, 3.15.10, 3.16.6, and 3.17.3, which include patches to correct the authorization logic. This vulnerability is particularly relevant for organizations using GitHub Enterprise Server with the Contractors API feature enabled, as it could lead to unauthorized disclosure of sensitive internal code repositories to contractor accounts, potentially exposing proprietary or confidential information.
Potential Impact
For European organizations, the impact of CVE-2025-6981 can be significant, especially for those relying on GitHub Enterprise Server to manage internal software development and collaboration. Unauthorized read access to internal repositories could lead to exposure of intellectual property, sensitive business logic, or confidential data embedded in codebases. This exposure risks competitive disadvantage, regulatory non-compliance (e.g., GDPR concerns if personal data is embedded in repositories), and potential facilitation of further attacks by adversaries leveraging leaked information. Since the vulnerability requires only low privileges and no user interaction, an attacker with contractor-level access could exploit this flaw remotely over the network, increasing the risk of insider threats or compromised contractor accounts being leveraged. Although the Contractors API is rarely enabled, organizations that do use this feature must consider the risk of unauthorized data disclosure. The medium severity rating suggests that while the vulnerability is not critical, the confidentiality impact and ease of exploitation warrant prompt remediation to prevent data leakage and maintain trust in software supply chains.
Mitigation Recommendations
European organizations should immediately verify whether the Contractors API feature is enabled in their GitHub Enterprise Server deployments. If enabled, they must prioritize upgrading to patched versions 3.14.15, 3.15.10, 3.16.6, or 3.17.3 or later to remediate the vulnerability. In addition, organizations should audit contractor accounts and their access permissions to ensure no excessive privileges are granted. Implement strict access control policies and monitor repository access logs for unusual read activity, especially from contractor accounts. Employ network segmentation and zero-trust principles to limit access scope for contractors. If upgrading is not immediately feasible, consider disabling the Contractors API feature temporarily to mitigate risk. Regularly review GitHub Enterprise Server configurations and apply security updates promptly. Finally, conduct security awareness training for administrators and contractors about the risks of unauthorized access and the importance of credential security.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2025-07-01T18:28:24.614Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6876c198a83201eaacd0cab4
Added to database: 7/15/2025, 9:01:12 PM
Last enriched: 7/23/2025, 1:38:32 AM
Last updated: 8/27/2025, 6:53:31 AM
Views: 34
Related Threats
CVE-2025-9695: Improper Export of Android Application Components in GalleryVault Gallery Vault App
MediumCVE-2025-9694: SQL Injection in Campcodes Advanced Online Voting System
MediumCVE-2025-9692: SQL Injection in Campcodes Online Shopping System
MediumCVE-2025-9691: SQL Injection in Campcodes Online Shopping System
MediumCVE-2025-9690: SQL Injection in SourceCodester Advanced School Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.