GitHub Enterprise Server up to 3.18.0 link following

Summaryinfo

A vulnerability categorized as critical has been discovered in GitHub Enterprise Server up to 3.14.18/3.15.13/3.16.9/3.17.6/3.18.0. Affected by this issue is some unknown functionality. The manipulation results in link following. This vulnerability is cataloged as CVE-2025-11578. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in GitHub Enterprise Server up to 3.14.18/3.15.13/3.16.9/3.17.6/3.18.0. Affected is an unknown functionality. The manipulation with an unknown input leads to a link following vulnerability. CWE is classifying the issue as CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.

The weakness was shared by inspector-ambitious. The advisory is available at docs.github.com. This vulnerability is traded as CVE-2025-11578 since 10/10/2025. The exploitability is told to be difficult. It is possible to launch the attack remotely. Additional levels of successful authentication are needed for exploitation. The technical details are unknown and an exploit is not available.

Upgrading to version 3.14.19, 3.15.14, 3.16.10, 3.17.7 or 3.18.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-50831). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitHub

Name

• Enterprise Server

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.10
• 3.11
• 3.12
• 3.13
• 3.14
• 3.14.0
• 3.14.1
• 3.14.2
• 3.14.3
• 3.14.4
• 3.14.5
• 3.14.6
• 3.14.7
• 3.14.8
• 3.14.9
• 3.14.10
• 3.14.11
• 3.14.12
• 3.14.13
• 3.14.14
• 3.14.15
• 3.14.16
• 3.14.17
• 3.14.18
• 3.15
• 3.15.0
• 3.15.1
• 3.15.2
• 3.15.3
• 3.15.4
• 3.15.5
• 3.15.6
• 3.15.7
• 3.15.8
• 3.15.9
• 3.15.10
• 3.15.11
• 3.15.12
• 3.15.13
• 3.16
• 3.16.0
• 3.16.1
• 3.16.2
• 3.16.3
• 3.16.4
• 3.16.5
• 3.16.6
• 3.16.7
• 3.16.8
• 3.16.9
• 3.17
• 3.17.0
• 3.17.1
• 3.17.2
• 3.17.3
• 3.17.4
• 3.17.5
• 3.17.6
• 3.18.0

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion