Wiz Research found a CVSS 8.7 injection flaw in GitHub’s X-Stat header protocol letting any authenticated user RCE GitHub.com and GHES with one git push.
Key Takeaways
The root cause: babeld copies git push option values (user-controlled strings) into the semicolon-delimited X-Stat header without sanitizing semicolons, allowing field injection with last-write-wins semantics.
Three chained field injections achieve RCE: override rails_env to disable the sandbox, redirect custom_hooks_dir, then path-traverse via repo_pre_receive_hooks to execute an arbitrary binary as the git service user.
On GitHub.com, one additional injected field (enterprise_mode flag) unlocked the custom hooks path, giving RCE on shared storage nodes with filesystem access to millions of public and private repositories.
GitHub.com was patched within 6 hours of disclosure; GHES patches exist for versions 3.14+ but 88% of self-hosted instances remained unpatched 7 weeks after the March 10 release of 3.19.3.
Wiz used AI-augmented reverse engineering via IDA MCP to analyze closed-source GHES binaries at scale – framed as one of the first critical CVEs found this way in black-box compiled binaries.
Hacker News Comment Review
The 88% unpatched stat landed harder than the CVE itself: the fix shipped March 10 and the disclosure is April 28, meaning most GHES operators sat on a critical RCE for nearly two months with no apparent urgency.
Commenters split on the competitive angle – one read it as a damning signal for GitHub’s dominance, another pushed back that no alternative has a better track record and switching carries unknown risk.
Notable Comments
@bananapub: Patch released March 10, disclosure April 28 – “88% of on-prem customers haven’t applied a critical security fix from 7 weeks ago, that seems … bad.”
@latchkey: Argues self-hosting alternatives carries equal or unknown risk; no clear safer destination exists for teams considering a move off GHES.
