Critical GitHub Enterprise Server Flaws Allow Remote Exploits

EXECUTIVE SUMMARY:

GitHub has released critical security updates for its Enterprise Server product to address multiple high-severity vulnerabilities affecting versions 3.13.0 through 3.16.1. The most serious of these, a remote code execution flaw, allows attackers to take control of the system during hot patch upgrades by binding to dynamically allocated ports. Additional vulnerabilities include unauthorized access to private repository names due to improper authorization checks and a cross-site scripting issue that allows malicious content injection through Markdown math blocks.[emaillocker id="1283"]

• CVE-2025-3509: Remote Code Execution vulnerability with a CVSS score of 9.8 that allows attackers to bind to dynamically allocated ports during hot patching and execute arbitrary code.

• CVE-2025-3124: Information Disclosure vulnerability with a CVSS score of 5.3 that allows unauthorized viewing of private repository names via the archived: filter in GitHub Advanced Security Overview.

• CVE-2025-3246: Cross-Site Scripting vulnerability with a CVSS score of 7.5 that enables HTML/CSS injection through malicious Markdown math blocks requiring user interaction.

Organizations using GitHub Enterprise Server should apply the latest patches without delay. Immediate action is necessary to prevent code execution, data exposure, and XSS attacks.

RECOMMENDATION:

We strongly recommend you update GitHub to below versions:

• 3.13.0–3.13.13 to version 3.13.14
• 3.14.0–3.14.10 to version 3.14.11
• 3.15.0–3.15.5 to version 3.15.6
• 3.16.0–3.16.1 to version 3.16.2

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/github-enterprise-server-vulnerabilities/