CVE-2025-8447
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-03
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.14.17 (exc) |
| github | enterprise_server | From 3.15.0 (inc) to 3.15.12 (exc) |
| github | enterprise_server | From 3.16.0 (inc) to 3.16.8 (exc) |
| github | enterprise_server | From 3.17.0 (inc) to 3.17.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository without proper authorization. An attacker needed to know the name of a private repository and some of its branches, tags, or commit SHAs to exploit the compare/diff functionality and access code they should not have access to.
How can this vulnerability impact me? :
This vulnerability could allow an attacker with limited access to one repository to access limited code content from private repositories they should not have access to. This could lead to unauthorized disclosure of proprietary or sensitive code, potentially compromising intellectual property or security of the affected projects.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade your GitHub Enterprise Server to one of the fixed versions: 3.14.17, 3.15.12, 3.16.8, or 3.17.5 or later. Avoid using versions prior to 3.18 until patched.