@Geolim4 discovered that the existence of private repositories could be revealed by inspecting the response from the 404 page for multiple “Set-Cookie” headers. A certain cookie was being set if a repository existed, regardless of the viewer’s access. We addressed the vulnerability by ensuring this cookie is only set on public repositories or private repositories the viewer can access.