@kyprizel discovered a command injection vulnerability in the management interface for GitHub Enterprise. Exploitation did not require authentication, but the management interface runs on a different port by default and Enterprise administrators are encouraged to restrict access to this port for the appliance. Still, many instances were likely exploitable.

We addressed this vulnerability by not including request parameters in shell commands. We issued an unplanned update to GitHub Enterprise to quickly provide a fix to users.

This vulnerability only affected GitHub Enterprise version 2.5.X. If you are running the 2.5.X series, please ensure that you have updated to version 2.5.4 or higher. More details can be found in the v2.5.4 release notes.