GitHub rushed to fix a critical vulnerability in less than six hours

GitHub employees fixed a critical remote code execution vulnerability in less than six hours last month. Wiz Research used AI models to uncover a vulnerability in GitHub’s internal git infrastructure that could have allowed attackers to access millions of public and private code repositories.

“Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity,” explains Alexis Wales, GitHub chief information security officer. “This was a critical issue that required immediate action.”

GitHub’s engineering team developed a fix and deployed it just over an hour after identifying the root cause, protecting both GitHub.com and GitHub Enterprise Server. “In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation,” says Wales. This meant the issue was fixed within six hours of the report from Wiz.

The vulnerability itself was discovered “using AI,” according to Wiz. It’s not clear exactly what AI model helped find the issue, though. “Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,” says Sagi Tzadik, a security researcher at Wiz.

While GitHub’s rapid response meant a fix was deployed in just hours, Wiz warns that the rare vulnerability was “remarkably easy to exploit,” despite how complex GitHub’s underlying system is. “A finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions,” says Wales.

The discovery of a major vulnerability in GitHub comes just days after GitHub had a major outage that randomly reverted previously merged commits (code snapshots) for some users. GitHub also had other outages last week, in what’s increasingly becoming a trend for the service. I reported last week on employee concerns about GitHub reliability, highlighting one GitHub employee who says “the company is collapsing, both in outages that are reallllly bad and have torched the company reputation… and in an exodus of leadership.”