CVE-2025-3509

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.17 GitHub Enterprise Server version 3.13.0

Description A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled.

Recommendations For GitHub Enterprise Server versions prior to 3.17, update to version 3.16.2, 3.15.6, 3.14.11, or 3.13.14 to fix the vulnerability. As a temporary workaround, consider disabling the pre-receive hook functionality until a patch is available. Restrict access to the pre-receive hook functionality to minimize the risk of exploitation. Avoid using the pre-receive hook functionality during hot patch upgrades until the issue is resolved.