CVE-2025-6981

Summary

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Affected Software

VendorProductVersion RangeStatus
GitHubEnterprise Server3.14.0 < 3.14.15affected
GitHubEnterprise Server3.15.0 < 3.15.10affected
GitHubEnterprise Server3.16.0 < 3.16.6affected
GitHubEnterprise Server3.17.0 < 3.17.3affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References