GitHub Enterprise v2.8.0 - 2.8.6 Management Console Deserialization RCE | Advisories

Advisories

GitHub Enterprise v2.8.0 - 2.8.6 Management Console Deserialization RCE

severity: critical
date: 11/10/2025
Affecting: GitHub Enterprise 2.8.0 - 2.8.6
CVE: CVE-2017-18365
CWE: CWE-502 Deserialization of Untrusted Data
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GitHub Release Notes
Researcher Disclosure
ExploitDB-42392
Shadowserver Exploitation Evidence
Credit: Orange Tsai
Description: The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo