A severe security vulnerability, tracked as CVE-2025-23369, has been identified in GitHub Enterprise Server (GHES), allowing attackers to bypass SAML authentication and impersonate other user accounts.
This flaw exploits quirks in the libxml2 library used during SAML response validation, enabling unauthorized access to accounts, including those with administrative privileges.
The vulnerability arises from improper handling of XML entities within SAML responses.
By crafting a malicious SAML response that manipulates XML entity references, attackers can bypass signature verification mechanisms and inject arbitrary assertions.
The issue specifically affects the way GHES processes cryptographic signatures in SAML responses, leading to a failure in validating the integrity of the signed content.
Technical Details of the Exploit
Security Assertion Markup Language (SAML) is a widely used protocol for Single Sign-On (SSO) authentication.
It relies on an Identity Provider (IdP) to issue signed authentication responses that are verified by the Service Provider (SP).
In this case, GitHub Enterprise Server acts as the SP. The vulnerability exploits a flaw in how GHES validates these SAML responses.
The problem lies in the has_root_sig_and_matching_ref? function within GHES’s SAML validation logic.
This function checks whether the root element of a SAML response is properly signed. However, due to quirks in libxml2, attackers can manipulate XML entity references to trick the system into validating a different element as the root signature.
According to the report, this bypasses critical checks for assertion integrity and allows attackers to inject malicious assertions.
For example, by using an XML entity like <!ENTITY idViaEntity "_129"> and referencing it in the root element’s ID attribute, attackers can cause inconsistencies between schema validation and XPath queries.
These inconsistencies enable the injection of unauthorized assertions while maintaining a valid document structure.
Impact
The vulnerability affects all versions of GitHub Enterprise Server prior to version 3.13.0. Exploitation could allow attackers to:
- Gain unauthorized access to user accounts.
- Escalate privileges to administrator levels.
- Compromise sensitive repositories and data.
GitHub has released patches addressing this issue in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Administrators are urged to update their instances immediately to mitigate risks.
Additionally, organizations should consider disabling encrypted assertions if not required and enabling robust monitoring for unusual authentication activities.
This vulnerability underscores the importance of rigorous testing and validation in security-critical systems like SAML authentication frameworks.
While GitHub has addressed this issue through patches, organizations must remain vigilant against evolving attack vectors targeting authentication mechanisms.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox -Â Try for Free
.){kind=link}