@adob reported an issue that allowed an attacker to instantiate arbitrary Ruby objects on a server used for GitHub Service Hooks. Several service hooks use XMLRPC to serialize data between GitHub and the service hook endpoint. A malicious service hook endpoint could generate an XML response that would cause the hook service to dynamically instantiate an arbitrary Ruby object. Though object instantiation does not directly lead to remote code execution (RCE), it can often be used to do so. As a result, we treated the finding as a RCE and addressed the vulnerability immediately.
We addressed the vulnerability by disabling support for object marshalling in our XMLRPC configuration. We also performed an audit to ensure we were not using an insecure XMLRPC configuration elsewhere.