GitHub has issued urgent security updates for its Enterprise Server product after discovering multiple high-severity vulnerabilities, including a critical flaw (CVE-2025-3509) that allows attackers to execute arbitrary code and compromise systems.

The vulnerabilities, which also expose sensitive repository data and enable cross-site scripting (XSS) attacks, affect versions 3.13.0 through 3.16.1 of GitHub Enterprise Server. Patches are now available in versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2.

Remote Code Execution via Pre-Receive Hooks

The most severe vulnerability (CVE-2025-3509) enables remote code execution (RCE) by exploiting dynamically allocated ports during hot patch upgrades.

Attackers with site administrator permissions or repository modification privileges could bind to temporarily available ports, potentially escalating privileges and taking full control of the system. This flaw is only exploitable under specific conditions, such as during the hot patching process, limiting its attack window.

Unauthorized Access to Private Repositories

A medium-severity vulnerability (CVE-2025-3124) allows unauthorized users to view private repository names in the GitHub Advanced Security Overview.

This occurs due to a missing authorization check when applying the archived: filter. While repository contents remain protected, the exposure of names could aid attackers in targeting sensitive projects.

Cross-Site Scripting via Malicious Math Blocks

A separate high-risk XSS vulnerability (CVE-2025-3246) lets attackers inject malicious HTML/CSS into Markdown math blocks ($$..$$). Exploitation requires access to the target instance and privileged user interaction with the malicious content. GitHub has mitigated this by improving input sanitization and escaping protocols for math-rendered elements.

Affected Versions and Mitigation
The vulnerabilities’ impact:

• 3.13.0–3.13.13 (fixed in 3.13.14)
• 3.14.0–3.14.10 (fixed in 3.14.11)
• 3.15.0–3.15.5 (fixed in 3.15.6)
• 3.16.0–3.16.1 (fixed in 3.16.2)

GitHub recommends immediate upgrades to the latest patched versions. Administrators should also audit user permissions and monitor for unusual activity during hot patching.

All vulnerabilities were reported through GitHub’s Bug Bounty program, underscoring the importance of community-driven security initiatives. The company has not disclosed evidence of active exploitation but emphasizes proactive mitigation given the severity of these flaws.

Organizations relying on GitHub Enterprise Server must prioritize these updates to safeguard against code execution, data leaks, and XSS attacks. The patches highlight ongoing risks in enterprise DevOps environments and the critical need for rigorous access controls and patch management protocols.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy