After a hunter scored a bounty in their bug bounty program, GitHub released patches addressing a high-severity remote code execution (RCE) vulnerability, tracked as CVE-2025-3509, that affected multiple versions of GitHub Enterprise Server. There is no indication that the vulnerability was exploited in the wild prior to patching.
Vulnerability Details
CVE-2025-3509 (CVSS 7.1) is a remote code execution flaw that allowed attackers to execute arbitrary code on vulnerable GitHub Enterprise Server instances. The vulnerability was tied to the pre-receive hook functionality. Attackers could exploit it to bind to dynamically allocated ports that temporarily become available, particularly during the hot patching process. Successful exploitation could lead to privilege escalation and potentially full system compromise.
The vulnerability was reported through GitHub’s bug bounty program and required either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. The vulnerability was only exploitable under specific operational conditions, which limited the attack window.
Affected and Patched Versions
All GitHub Enterprise Server releases prior to 3.17 were affected. Patches were released in the following versions:
• 3.16.2
• 3.15.6
• 3.14.11
• 3.13.14
Later, additional patches were issued in 3.17.1, 3.16.4, 3.15.8, 3.14.13, and 3.13.16 after an initial fix was found incomplete.
GitHub recommends all users of affected versions update to the latest patched release as soon as possible
