Code-hosting platform GitHub has rolled out patches for a remote code execution (RCE) vulnerability in multiple Enterprise Server versions.
Tracked as CVE-2025-3509 (CVSS score of 7.1), the flaw could have allowed attackers to exploit the pre-receive hook functionality to bind to ports that are dynamically allocated and become available.
Exploitation of the flaw, GitHub says, is only possible under specific operational conditions, which suggests that the attack window is reduced.
“This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks,” GitHub explains.
An initial fix for the security defect was found incomplete, allowing attackers to exploit the issue in certain cases, and a new patch was rolled out, the Microsoft-owned platform says.
Successful exploitation of CVE-2025-3509 could have allowed attackers to execute arbitrary code and elevate their privileges, potentially leading to full system compromise.
According to GitHub, all Enterprise Server releases prior to 3.18 are affected. Fixes for the bug were included in Enterprise Server versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, and 3.13.16, which were rolled out last week.
GitHub says the vulnerability was reported through its bug bounty program and makes no mention of its in-the-wild exploitation.
Related: Files Deleted From GitHub Repos Leak Valuable Secrets
Related: GitHub Patches Critical Vulnerability in Enterprise Server
Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories
