CVE-2025-6600
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-09-05
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | From 3.17.0 (inc) to 3.17.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitHub Enterprise Server version 3.17 allows an attacker to disclose the names of private repositories within an organization. It can be exploited by using a user-to-server token with no scopes via the Search API endpoint. However, successful exploitation requires that an organization administrator installs a malicious GitHub App in the organization's repositories.
How can this vulnerability impact me? :
The vulnerability could lead to exposure of sensitive information by revealing the names of private repositories, potentially compromising organizational privacy and security. This could allow attackers to gain insights into private projects or sensitive data stored in those repositories.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade GitHub Enterprise Server from version 3.17 to version 3.17.2 or later. Additionally, review and restrict the installation of GitHub Apps within your organization, ensuring only trusted apps are installed by organization administrators.