CVE-2025-6981

low-risk

Published 2025-07-15

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (4)

Release Notes https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15

Release Notes https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10

Release Notes https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6

Release Notes https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal