CVE-2025-6981 is an authorization vulnerability identified in GitHub Enterprise Server versions prior to 3.18, specifically affecting versions 3.14.0, 3.15.0, 3.16.0, and 3.17.0. The flaw arises from incorrect authorization checks related to the Contractors API feature, which is a rarely-enabled, private preview functionality designed to facilitate contractor access management. Due to improper enforcement of access controls, contractor accounts could gain unauthorized read access to internal repositories that should have been restricted. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system fails to properly restrict access to resources based on user privileges. The vulnerability has a CVSS v4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that exploitation requires network access (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and results in low confidentiality impact (VC:L) without affecting integrity or availability. No known exploits are reported in the wild as of the publication date (July 15, 2025). The issue was addressed in GitHub Enterprise Server versions 3.14.15, 3.15.10, 3.16.6, and 3.17.3, which include patches to correct the authorization logic. This vulnerability is particularly relevant for organizations using GitHub Enterprise Server with the Contractors API feature enabled, as it could lead to unauthorized disclosure of sensitive internal code repositories to contractor accounts, potentially exposing proprietary or confidential information.

For European organizations, the impact of CVE-2025-6981 can be significant, especially for those relying on GitHub Enterprise Server to manage internal software development and collaboration. Unauthorized read access to internal repositories could lead to exposure of intellectual property, sensitive business logic, or confidential data embedded in codebases. This exposure risks competitive disadvantage, regulatory non-compliance (e.g., GDPR concerns if personal data is embedded in repositories), and potential facilitation of further attacks by adversaries leveraging leaked information. Since the vulnerability requires only low privileges and no user interaction, an attacker with contractor-level access could exploit this flaw remotely over the network, increasing the risk of insider threats or compromised contractor accounts being leveraged. Although the Contractors API is rarely enabled, organizations that do use this feature must consider the risk of unauthorized data disclosure. The medium severity rating suggests that while the vulnerability is not critical, the confidentiality impact and ease of exploitation warrant prompt remediation to prevent data leakage and maintain trust in software supply chains.

European organizations should immediately verify whether the Contractors API feature is enabled in their GitHub Enterprise Server deployments. If enabled, they must prioritize upgrading to patched versions 3.14.15, 3.15.10, 3.16.6, or 3.17.3 or later to remediate the vulnerability. In addition, organizations should audit contractor accounts and their access permissions to ensure no excessive privileges are granted. Implement strict access control policies and monitor repository access logs for unusual read activity, especially from contractor accounts. Employ network segmentation and zero-trust principles to limit access scope for contractors. If upgrading is not immediately feasible, consider disabling the Contractors API feature temporarily to mitigate risk. Regularly review GitHub Enterprise Server configurations and apply security updates promptly. Finally, conduct security awareness training for administrators and contractors about the risks of unauthorized access and the importance of credential security.