CVE-2025-23369
Published: 21 January 2025
Description
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.
Security Summary
CVE-2025-23369 is an improper verification of cryptographic signature vulnerability (CWE-347) in GitHub Enterprise Server, enabling signature spoofing. It affects all versions prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. The issue was reported through the GitHub Bug Bounty program and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited over the network by low-privileged, authenticated users (existing users with low privileges) on GitHub Enterprise Server instances configured with SAML single sign-on. Instances not using SAML SSO or lacking existing users as attackers are unaffected. Successful exploitation allows attackers to spoof signatures, potentially leading to high impacts on confidentiality, integrity, and availability.
Mitigation requires upgrading to GitHub Enterprise Server versions 3.12.14, 3.13.10, 3.14.7, 3.15.2, or 3.16.0, as detailed in the corresponding release notes.
Details
- CWE(s)