CVE-2025-3509
A vulnerability (CVE-2025-3509) exists in the pre-receive hook functionality of GitHub Enterprise Server. This flaw could allow a malicious attacker to execute arbitrary code, potentially leading to privilege escalation and complete system compromise. The vulnerability can be exploited by binding to dynamically allocated ports that become temporarily available, such as during a hot patch upgrade.
CVE-2025-3124
A medium-severity vulnerability (CVE-2025-3124) could allow an attacker to view private repository names that the signed-in user is not authorized to see. This issue occurs in the GitHub Advanced Security Overview due to a missing authorization check when filtering with βonly archived:β.
CVE-2025-3246
Another high-severity vulnerability (CVE-2025-3246) involves an improper neutralization of input in GitHubβs Markdown rendering. An attacker could exploit this to embed malicious HTML/CSS in math blocks ($$ .. $$), leading to cross-site scripting (XSS). Successful exploitation requires access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. GitHub has mitigated this issue by disallowing math blocks to be escaped early by dollar signs and improving math-rendered content to ensure non-wrapped content is properly escaped.
Affected Versions and Mitigations
The following versions of GitHub Enterprise Server are affected:
Affected from 3.13.0 through 3.13.13; unaffected from 3.13.14Affected from 3.14.0 through 3.14.10; unaffected from 3.14.11Affected from 3.15.0 through 3.15.5; unaffected from 3.15.6Affected from 3.16.0 through 3.16.1; unaffected from 3.16.2GitHub has released patched versions to address these vulnerabilities. It is critical for administrators to upgrade their GitHub Enterprise Server instances to the latest unaffected version to ensure the security of their systems and data.