CVE-2025-11578

10.11.2025, 23:15

A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root users authorized keysthereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GitHub_P	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10

https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7

https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1