CVE-2025-6981
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
| Software | From | Fixed in |
|---|---|---|
| github / enterprise_server | - | 3.14.5 |
| github / enterprise_server | 3.15.0 | 3.15.10 |
| github / enterprise_server | 3.16.0 | 3.16.6 |
| github / enterprise_server | 3.17.0 | 3.17.3 |
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime