GitHub and GitHub Enterprise Server: Code smuggling via push
In GitHub and GitHub Enterprise Server, attackers with push rights to repositories can inject malicious code. Updates fix this.
(Image: Sundry Photography/Shutterstock.com)
A vulnerability with an embedded earworm “Push it” by Salt-N-Pepa: Attackers with push authorization on one or more repositories can inject malicious code from the network into a GitHub Enterprise Server (and GitHub.com). A standard git client would suffice for this.
The IT researchers from Wiz discovered the vulnerability and discuss it in a blog post. By exploiting an injection error in the internal GitHub protocols, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single “git push” command. Unsurprisingly, the Wiz researchers note that they discovered the vulnerability with the help of AI. On GitHub.com, they were able to execute malicious code from the network on shared storage nodes. On GitHub Enterprise Server, the server could be fully compromised, including access to all hosted repositories and internal secrets.
CVE entry with brief vulnerability description
GitHub has published a CVE vulnerability entry for it. According to this, the vulnerability is based on insufficient filtering of special elements that are transferred as options to the push command in user requests. They were incorporated into internal service headers. Since these headers can contain a delimiter that can also occur in user input, attackers could inject additional metadata fields with manipulated push options (CVE-2026-3854, CVSS4 8.7, Risk “high”). The vulnerability was reported through the bug bounty program – GitHub does not state whether a bounty was awarded or its amount. Due to a flood of AI-generated vulnerability reports, increasingly projects are foregoing bounty payments.
GitHub.com responded within six hours of the error report and closed the security vulnerabilities, according to Wiz IT researchers. Furthermore, the developers have released patches for all supported GitHub Enterprise Server versions. A CVE vulnerability number with a description followed just as quickly. Wiz notes that at the time of the blog post's publication on Tuesday, 88 percent of GitHub Enterprise Server instances were still vulnerable to the security flaw.
Videos by heise
IT managers should therefore update their GitHub Enterprise Server instances to the corrected versions. GitHub has fixed the errors in various versions of the Enterprise Server: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, and 3.20.0 (or newer). The vulnerability description on GitHub also lists the direct predecessor versions, but according to the GitHub blog post, admins should update to even newer versions. GitHub also points out that the security vulnerability has not yet been exploited in attacks.
(dmk)
