GitHub patches critical RCE vuln in under 6 hours

Last month GitHub resolved a serious remote code execution flaw in its internal git systems roughly six hours after receiving a bug bounty submission from Wiz Research. The security firm relied on AI tools to surface the issue, which reportedly could have let malicious actors reach millions of both public and private repositories.

GitHub’s Response

Alexis Wales, GitHub’s chief information security officer, said the company’s security team “immediately began validating the bug bounty report” and reproduced the problem internally within 40 minutes. Engineering staff then built and rolled out a patch just over an hour after pinpointing the root cause, shielding both GitHub.com and GitHub Enterprise Server instances. Wales added that “in less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation.”

Discovery Method

Wiz noted the flaw was found “using AI.” Security researcher Sagi Tzadik called it “one of the first critical vulnerabilities discovered in closed-source binaries using AI,” pointing to an emerging approach for spotting such defects. Although the precise model remains undisclosed, the firm described the vulnerability as “remarkably easy to exploit” despite the complexity of GitHub’s architecture.

Wales said the report qualified for one of the highest payouts in the company’s bug bounty program because of its potential impact.

The episode follows a string of service disruptions at GitHub, including an outage last month that unexpectedly reverted merged commits for some users and additional incidents the same week. The Verge reported last week on internal worries about the platform’s stability, including one employee’s claim that “the company is collapsing, both in outages that are reallllly bad and have torched the company reputation… and in an exodus of leadership.”