@hughdavenport found that webhooks could be configured to make requests to internal network resources. This behavior had previously been blocked with application and host level protections, but internal and local IPv6 addresses were not being blocked.

The vulnerability was mitigated by adding host firewall rules preventing webhook processes from making these requests. This was determined to be low risk for GitHub Enterprise instances. A fix will be included in GitHub Enterprise 2.2.