Wiz researchers found the vulnerability affecting GitHub.com and GitHub Enterprise Server, impacting about 88% of instances at disclosure and allowing exploitation via a single git push.
The flaw, due to improper sanitization of git push options, enables attackers with repository access to execute arbitrary commands, bypass sandboxing, and potentially access millions of repositories on shared storage nodes.
GitHub rapidly fixed the issue after Wiz’s March 4 report, with no evidence of malicious exploitation. Users are urged to update immediately, as the vulnerability exposes multi-tenant infrastructure and underscores risks in multi-service architectures.
How can 150 million developers trust a platform when enterprise servers remain critically unpatched?
Can GitHub's security model keep pace with AI-powered threats and kernel-level rootkits?
With AI writing code, who is liable when it introduces a critical security flaw?
As CISOs become business advisors, are they losing their crucial technical edge?
Is the $12.5M Alpha-Omega fund enough to secure the vast open-source ecosystem?
How does GitHub balance developer freedom with mandatory pre-publication malware scanning?