InfoSecBulletin Cybersecurity for mankind
GitHub has released security updates for GitHub Enterprise Server to fix several vulnerabilities, including a high-severity flaw that could allow code execution by attackers. Organizations are urged to apply these patches quickly to ensure system protection.
High-Risk Code Execution Vulnerability:
UK Software Firm Exposed 8 million of Healthcare Worker Records
GitHub Enterprise Server Vulns Expose Risk of Code Execution
CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
A vulnerability (CVE-2025-3509) in the pre-receive hook feature of GitHub Enterprise Server could allow attackers to execute arbitrary code, leading to privilege escalation and full system compromise. This flaw can be exploited by binding to temporarily available dynamically allocated ports, especially during a hot patch upgrade.
This vulnerability can only be exploited under specific conditions, like during the hot patching process. Additionally, it requires site administrator permissions or a user with rights to modify repositories with pre-receive hooks.
A medium-severity vulnerability (CVE-2025-3124) may let attackers see private repository names that a signed-in user shouldn’t access. This issue arises in the GitHub Advanced Security Overview because of a missing authorization check when using the filter “only archived:”.
Cross-Site Scripting Vulnerability:
A high-severity vulnerability (CVE-2025-3246) in GitHub’s Markdown rendering allows attackers to embed malicious HTML/CSS in math blocks ($$ .. $$), which could lead to cross-site scripting (XSS). Exploitation requires access to a targeted GitHub Enterprise Server and privileged user interaction. GitHub has addressed this issue by preventing math blocks from being escaped by dollar signs and enhancing the escape of non-wrapped content.
Affected Versions and Mitigations:
The following versions of GitHub Enterprise Server are affected:
Affected from 3.13.0 through 3.13.13; unaffected from 3.13.14
Affected from 3.14.0 through 3.14.10; unaffected from 3.14.11
Affected from 3.15.0 through 3.15.5; unaffected from 3.15.6
Affected from 3.16.0 through 3.16.1; unaffected from 3.16.2
GitHub has released patched versions to fix vulnerabilities. Administrators should upgrade their GitHub Enterprise Server to the latest version to maintain system and data security.
