CVE-2025-3124: 
GitHub Enterprise Server vulnerability analysis and mitigation

A missing authorization vulnerability was identified in GitHub Enterprise Server (CVE-2025-3124) that allowed users to view private repository names they shouldn't have access to in the GitHub Advanced Security Overview. The vulnerability was discovered in April 2025 and affected all versions of GitHub Enterprise Server prior to 3.17. The issue occurred when filtering with only the 'archived:' filter, where a missing authorization check allowed unauthorized access to private repository names (GitHub Release Notes).

The vulnerability is classified as MEDIUM severity and stems from a missing authorization check in the GitHub Advanced Security Overview feature. The issue specifically manifests when using the 'archived:' filter, which bypassed normal access controls that should prevent unauthorized users from seeing private repository names. The vulnerability has been assigned CVE ID CVE-2025-3124 and has been fixed in versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2 (GitHub Release Notes).

The impact of this vulnerability allows unauthorized users to view private repository names that they wouldn't otherwise have access to within the GitHub Advanced Security Overview. While the exposure is limited to repository names and all other access controls were functioning normally, this could potentially reveal sensitive project information through repository naming (GitHub Release Notes).

GitHub has released patches to address this vulnerability in multiple versions: 3.13.14, 3.14.11, 3.15.6, and 3.16.2. Organizations running affected versions of GitHub Enterprise Server should upgrade to the patched versions to mitigate this security issue (GitHub Release Notes).

GitHub has acknowledged the vulnerability and promptly released security updates across multiple versions of GitHub Enterprise Server to address this and other security concerns (Security Online).