GitHub Enterprise Server <3.19: PrivEsc via Symlink Escape
CVE-2025-11578 Published on November 10, 2025
Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root users authorized keysthereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2025-11578 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2025-11578
Want to know whenever a new CVE is published for github Enterprise Server? stack.watch will email you.
Affected Versions
GitHub Enterprise Server:- Version 3.14, <= 3.14.19 is affected.
- Version 3.15, <= 3.15.14 is affected.
- Version 3.16, <= 3.16.10 is affected.
- Version 3.17, <= 3.17.7 is affected.
- Version 3.18, <= 3.18.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.