CVE-2025-3509: 
GitHub Enterprise Server vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability (CVE-2025-3509) was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality. The vulnerability was discovered on April 17, 2025, affecting all versions of GitHub Enterprise Server prior to 3.17. The vulnerability involves using dynamically allocated ports that become temporarily available during hot patch upgrades, making it exploitable only during specific operational conditions (NVD, ASEC).

The vulnerability is classified as HIGH severity with a CVSS 4.0 Base Score of 7.1. The vulnerability requires either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. The attack vector is network-based (AV:N) with low attack complexity (AC:L) and requires privileged access (PR:H) (NVD).

If successfully exploited, the vulnerability could lead to privilege escalation and system compromise. The attacker could execute arbitrary code on the affected system, potentially gaining elevated privileges and full control of the system (CyberSecurity News).

GitHub has released security updates to address this vulnerability. The fixes are available in versions 3.16.2, 3.15.6, 3.14.11, and 3.13.14. Users of affected versions are strongly advised to upgrade to these patched versions immediately (ASEC).

GitHub has promptly addressed the vulnerability through their security update advisory system. The vulnerability was discovered through GitHub's Bug Bounty program, demonstrating the effectiveness of their security research community engagement (CyberSecurity News).