CVE-2025-8447: 
GitHub Enterprise Server vulnerability analysis and mitigation

An improper access control vulnerability (CVE-2025-8447) was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. The vulnerability was discovered and reported through the GitHub Bug Bounty program and disclosed on August 25, 2025. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5 (GitHub Release Notes).

The vulnerability exploits the compare/diff functionality in GitHub Enterprise Server. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. The vulnerability has been assigned a CVSS v4.0 Base Score of 7.0 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, and a CVSS v3.1 Base Score of 3.1 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows unauthorized access to code content from private repositories, potentially exposing sensitive information. An attacker with access to any repository could retrieve limited code content from other private repositories, compromising the confidentiality of private code (GitHub Release Notes).

GitHub has released patches for this vulnerability in versions 3.14.17, 3.15.12, 3.16.8, and 3.17.5. Organizations are strongly advised to upgrade to these patched versions or later. No workarounds have been published; upgrading to a patched version is the only recommended mitigation (GitHub Release Notes).