Microsoft-owned open source code hosting platform GitHub has acknowledged and patched a critical vulnerability that allowed arbitrary remote code execution, following a report from Wiz researchers.
The vulnerability is rated as 8.7 out of 10 on the Common Vulnerabilities Scoring System (CVSS) scale, and affected both GitHub.com and the self-hosted GitHub Enterprise Server (GHES).
Had it been exploited, the vulnerability could’ve jeopardised millions of code repositories.
A team of researchers at Wiz, now owned by Google, found that it was possible to add malicious options to the commonly used git push command to exploit GitHub’s internal protocol, and obtain remote code execution (RCE) on backend infrastructure.
To take advantage of the flaw, the attacker would have to be an authenticated user on the platform.
The researchers used the open source Interactive Disassembler (IDA) model context protocol (MCP) server as artificial intelligence-augmented tooling for making the research feasible at speed.
Wiz Research reported the bug to GitHub on March 4 United States time, with the code hosting platform acknowledging the flaw and deploying a fix within hours on the same day, the company’s chief information security officer Alexis Wales wrote in an incident post-mortem.
A patch for GHES was released by GitHub on March 10; no action is required by GitHub.com users.
The Wiz researchers stand to receive “one of the highest rewards in the history” of GitHub’s bug bounty program, which pays out US$30,000 or more per accepted report, Wales said.
Wales said a log file analysis showed that the vulnerability had not been found by anyone else than Wiz, and remained unexploited.
Nevertheless, Wales suggested that GHES customers should review their access logs out of caution.
Several critical vulnerabilities have surfaced in GHES in recent years.
They include three critical authentication bypasses reported in 2024, a privilege escalation bug and an RCE flaw, the latter two found in 2025; none of these have been confirmed as exploited.
