CVE-2022-46255

CVE-2022-46255: Improper Limitation of a Pathname to a Restricted Directory in GitHub Enterprise Server leading to RCE

Vendor Github
Product GitHub Enterprise Server
Weakness CWE-22 · Path traversal
Published December 14, 2022
Last update April 22, 2025

CVSS base score

What the vulnerability does

01Description

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

December 14, 2022 CVE published
April 22, 2025 Record updated