CVE-2025-23369

EUVD-2025-3159

21.01.2025, 19:15

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users.  Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_P	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Affected Products (NVD)

Vendor	Product	Version
github	enterprise_server	𝑥 < 3.12.14
github	enterprise_server	3.13.0 ≤ 𝑥 < 3.13.10
github	enterprise_server	3.14.0 ≤ 𝑥 < 3.14.7
github	enterprise_server	3.15.0 ≤ 𝑥 < 3.15.2

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
github	github	3.12.0 ≤ 𝑥 ≤ 3.12.13	CNA
github	github	3.13.0 ≤ 𝑥 ≤ 3.13.9	CNA
github	github	3.14.0 ≤ 𝑥 ≤ 3.14.6	CNA
github	github	3.15.0 ≤ 𝑥 ≤ 3.15.1	CNA

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.14

https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.10

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.7

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.2