CVE-2025-6981 – An incorrect authorization vulnerability in Git... (How to Fix)

Q: What is the severity of CVE-2025-6981?

CVE-2025-6981 has a CVSS score of 4.3 (MEDIUM). An incorrect authorization vulnerability in GitHub Enterprise Server allowed contractor accounts to read internal repository contents when the Contractors API feature was enabled. This affected all versions prior to 3.18, but only impacted systems with the rarely-used Contractors API feature enabled in private preview.

📋 TL;DR

An incorrect authorization vulnerability in GitHub Enterprise Server allowed contractor accounts to read internal repository contents when the Contractors API feature was enabled. This affected all versions prior to 3.18, but only impacted systems with the rarely-used Contractors API feature enabled in private preview.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.18

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the Contractors API feature is enabled, which is described as 'rarely-enabled' and in 'private preview'.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized contractors could exfiltrate sensitive source code, intellectual property, or confidential data from internal repositories, potentially leading to data breaches or competitive disadvantage.

🟠

Likely Case

Limited exposure due to the feature being rarely enabled and in private preview, but if exploited, could result in unauthorized access to proprietary code or sensitive information.

🟢

If Mitigated

No impact if the Contractors API feature is disabled or if proper access controls and monitoring are in place to detect unauthorized access attempts.

🌐 Internet-Facing: LOW - GitHub Enterprise Server is typically deployed internally, and this vulnerability requires authenticated contractor accounts with the specific feature enabled.

🏢 Internal Only: MEDIUM - While the feature is rarely enabled, if present, it could allow internal contractors to access repositories beyond their intended permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated contractor account and the feature to be enabled, but exploitation appears straightforward once those conditions are met.

Exploitation requires specific configuration (Contractors API enabled) and authenticated contractor access, making widespread exploitation unlikely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.14.15, 3.15.10, 3.16.6, 3.17.3, or any version 3.18+

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Upgrade to one of the patched versions: 3.14.15, 3.15.10, 3.16.6, 3.17.3, or any version 3.18+. 3. Follow GitHub's upgrade procedures for your specific version. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable Contractors API Feature

linux

Disable the Contractors API feature if it's not required for your operations.

Check GitHub Enterprise Server documentation for feature management commands specific to your version

🧯 If You Can't Patch

Disable the Contractors API feature immediately if enabled
Implement strict access controls and monitoring for contractor accounts, and review audit logs for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if GitHub Enterprise Server version is below 3.18 AND the Contractors API feature is enabled. Use the management console or SSH to check version and feature status.

Check Version:

ssh admin@your-ghes-instance 'ghes-version' or check via the management console

Verify Fix Applied:

Verify the version is 3.14.15, 3.15.10, 3.16.6, 3.17.3, or any version 3.18+ using the management console or version check command.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns from contractor accounts to internal repositories
API calls to contractor-specific endpoints accessing unauthorized repositories

Network Indicators:

Increased data transfer from GitHub Enterprise Server to contractor-controlled systems

SIEM Query:

source="github-enterprise" AND (user_type="contractor" AND repository_access="internal")

📊 Metadata

CVE ID: CVE-2025-6981

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-863

EPSS Score: 0.04% exploit probability (12.3th percentile)

Published: July 15, 2025

Last Updated: August 27, 2025

🔗 References

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15 Release Notes
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10 Release Notes
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6 Release Notes
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6981, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Contractors API Feature

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities