Remote Code Execution Vulnerability in GitHub Enterprise Server
CVE-2025-3509

7.1HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 17 April 2025

What is CVE-2025-3509?

A Remote Code Execution (RCE) vulnerability has been discovered in GitHub Enterprise Server, which allows attackers to execute arbitrary code through the exploitation of the pre-receive hook functionality. This vulnerability may lead to privilege escalation and compromise of the system. It is triggered under specific operational conditions, such as when dynamically allocated ports are temporarily exposed during hot patch upgrades. Exploiting this vulnerability requires site administrator permissions to enable and manage pre-receive hooks, or user permissions to adjust repositories already configured with this functionality. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.17 and has been addressed in versions 3.16.2, 3.15.6, 3.14.11, and 3.13.14. This issue was reported through the GitHub Bug Bounty program.

Affected Version(s)

Enterprise Server 3.13.0 <= 3.13.13

Enterprise Server 3.14.0 <= 3.14.10

References

https://docs.github.com/en/[email protected]/admin/r...

release-notes

https://docs.github.com/en/[email protected]/admin/r...

release-notes

https://docs.github.com/en/[email protected]/admin/r...

release-notes

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2025
Vulnerability Reserved
Apr 10, 2025

Credit

R31n

Github

What is CVE-2025-3509?

Affected Version(s)

References

CVSS V4

Timeline

Credit