""By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client.""
""On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.""
""While the authentication requirement may appear to mitigate the risk, GitHub explained that any user with push access to a repository, including one they created, could exploit the vulnerability to execute arbitrary commands on the server.""
A critical remote code execution vulnerability, tracked as CVE-2026-3854, was discovered in GitHub's internal Git infrastructure, affecting both GitHub.com and GitHub Enterprise Server. Exploitation was easy, allowing authenticated users to execute arbitrary commands on backend servers with a single git push command. The vulnerability posed significant risks, especially on GitHub.com, where millions of repositories were accessible. GitHub addressed the issue promptly, confirming it had not been exploited in the wild, and deployed a fix on March 4, the same day it was reported.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]