Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low complexity, requires authenticated low-privilege user; scope change (S:C) because instance-wide availability impact extends beyond the release notes component.
Primary rating from Vendor (GitHub_P).
CVSS VectorVendor: GitHub_P
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parsed without a nesting depth limit, causing excessive resource consumption that could render the instance unresponsive. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.
AnalysisAI
GitHub Enterprise Server (all versions prior to 3.22) is vulnerable to authenticated denial of service via unbounded YAML parsing depth in release notes configuration files. An authenticated user with repository access can craft a release notes configuration file containing arbitrarily deeply nested YAML structures; when release note generation is triggered, the YAML parser processes the nesting without any depth limit, causing excessive CPU and memory consumption that can render the entire GHES instance unresponsive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on the GHES instance with at minimum write access to a repository (sufficient to push a crafted release notes configuration file). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H) scores 5.7, which understates operational impact in enterprise deployments: a single authenticated user can fully crash a shared GHES instance, disrupting all development teams relying on it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated developer or contractor with push access to any repository on a GHES instance creates a release notes configuration file (e.g., .github/release.yml) containing thousands of levels of nested YAML mappings. When the attacker or any automated process triggers release note generation for a tag or release, the GHES backend parses the file without depth limiting, causing the parser to exhaust available memory or stack space. … |
| Remediation | The primary remediation is to upgrade to a patched release: 3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3, depending on the currently deployed release train. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allThe RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. R
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowe
An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sig
An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Ent
User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL
An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication wi
Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45188