CVE-2025-6981: 
GitHub Enterprise Server vulnerability analysis and mitigation

An incorrect authorization vulnerability (CVE-2025-6981) was discovered in GitHub Enterprise Server, affecting all versions prior to 3.18. The vulnerability was disclosed on July 15, 2025, and allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is described as a rarely-enabled feature in private preview (GitHub Release Notes).

The vulnerability has been assigned a CVSS 4.0 Base Score of 5.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The issue is classified as CWE-863 (Incorrect Authorization) and affects the authorization mechanism specifically related to the Contractors API feature (NVD).

When exploited, the vulnerability allows unauthorized users to gain read access to internal repository contents through the Contractors API, potentially exposing sensitive information. This access bypass specifically affects contractor accounts and could lead to unauthorized information disclosure (GitHub Release Notes).

The vulnerability has been fixed in multiple versions: 3.14.15, 3.15.10, 3.16.6, and 3.17.3. Organizations should upgrade to these patched versions to prevent unauthorized access. After the fix, contractor account access to internal repositories via the API will be correctly blocked unless they have an alternate grant (GitHub Release Notes).