GitHub fixed a critical vulnerability in under 6 hours
▼ Summary
– GitHub employees fixed a critical remote code execution vulnerability in less than six hours after Wiz Research reported it.
– The vulnerability could have allowed attackers to access millions of public and private code repositories on GitHub.
– GitHub’s security team validated the bug within 40 minutes, and engineering deployed a fix just over an hour after identifying the root cause.
– Wiz used AI to discover the vulnerability, marking one of the first critical flaws found in closed-source binaries using AI.
– GitHub experienced separate outages that reverted merged commits and raised employee concerns about company reliability and leadership exodus.
GitHub’s security team managed to patch a critical remote code execution vulnerability in under six hours last month, after it was uncovered by Wiz Research using AI models. The flaw, which lurked in GitHub’s internal git infrastructure, could have let attackers access millions of public and private code repositories.
“Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” says Alexis Wales, GitHub’s chief information security officer. “This was a critical issue that required immediate action.”
The engineering team identified the root cause and deployed a fix just over an hour later, covering both GitHub.com and GitHub Enterprise Server. “In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation,” Wales adds. The entire process, from initial report to resolution, took less than six hours.
Wiz Research discovered the vulnerability “using AI,” though the specific model remains undisclosed. “Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,” says Sagi Tzadik, a security researcher at Wiz.
Despite GitHub’s swift response, Wiz warns that the rare vulnerability was “remarkably easy to exploit,” even given the complexity of GitHub’s underlying system. “A finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions,” Wales says.
This discovery follows a major GitHub outage that randomly reverted previously merged commits for some users, along with additional outages last week. The pattern has raised concerns about service reliability. I reported last week on employee worries, with one GitHub employee saying “the company is collapsing, both in outages that are reallllly bad and have torched the company reputation… and in an exodus of leadership.”
(Source: The Verge)
