CVE-2025-23369

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.12.14 GitHub Enterprise Server versions prior to 3.13.10 GitHub Enterprise Server versions prior to 3.14.7 GitHub Enterprise Server versions prior to 3.15.2 GitHub Enterprise Server versions prior to 3.16.0

Description An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server, allowing signature spoofing for unauthorized internal users. This issue affects instances that utilize SAML single sign-on and where the attacker is an existing user. Over 36,000 services are potentially affected. The vulnerability can be exploited by abusing libxml2 quirks to bypass SAML authentication.

Recommendations GitHub Enterprise Server version prior to 3.12.14: Update to version 3.12.14 or later. GitHub Enterprise Server version prior to 3.13.10: Update to version 3.13.10 or later. GitHub Enterprise Server version prior to 3.14.7: Update to version 3.14.7 or later. GitHub Enterprise Server version prior to 3.15.2: Update to version 3.15.2 or later. GitHub Enterprise Server version prior to 3.16.0: Update to version 3.16.0 or later. As a temporary workaround, consider restricting access to SAML authentication until a patch is applied.