CVE-2025-23369

moderate-risk

Published 2025-01-21

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.

Do I need to act?

11.8% chance of exploitation in next 30 days

EPSS score — higher than 88% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (4)

Release Notes https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.14

Release Notes https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.10

Release Notes https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.7

Release Notes https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.2

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 11/34 · Low

Exposure 5/34 · Minimal