CVE-2025-11578
📋 TL;DR
This CVE describes a privilege escalation vulnerability in GitHub Enterprise Server where authenticated enterprise administrators could gain root SSH access by exploiting symlink escape in pre-receive hook environments. Attackers could replace system binaries during hook cleanup and add their SSH key to root's authorized_keys. This affects all GitHub Enterprise Server versions prior to 3.19.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub Enterprise Server appliance with root SSH access, allowing data exfiltration, system modification, and persistence.
Likely Case
Malicious enterprise admin gains root access to the appliance, potentially compromising all repositories, user data, and system integrity.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though root access would still be achieved.
🎯 Exploit Status
Exploitation requires enterprise admin privileges and knowledge of symlink escape techniques in pre-receive hook environments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2, or 3.19+
Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to a patched version (3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2, or 3.19+). 3. Follow GitHub's upgrade documentation for your specific version. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Enterprise Admin Access
allLimit enterprise admin privileges to only trusted personnel and implement strict access controls.
Monitor Pre-receive Hook Activity
linuxImplement logging and monitoring for pre-receive hook execution and file system changes.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for enterprise admin roles
- Monitor SSH key additions to root's authorized_keys file and audit all pre-receive hook activities
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the management console or SSH. If version is below 3.14.20, 3.15.15, 3.16.11, 3.17.8, or 3.18.2, you are vulnerable.Check Version:
ssh admin@your-ghes-instance 'ghes-version' or check via management consoleVerify Fix Applied:
After upgrading, verify the version is 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2, or 3.19+ and test that pre-receive hooks function normally.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH key additions to /root/.ssh/authorized_keys
- Unusual pre-receive hook execution patterns
- File system modifications in system binary directories during hook cleanup
Network Indicators:
- Unexpected SSH connections to the appliance from new IP addresses
- Increased SSH traffic to root account
SIEM Query:
source="github-enterprise" AND (event="ssh_key_added" OR event="pre_receive_hook_execution") | stats count by user, source_ip🔗 References
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8
- https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2
