CVE-2025-23369

HIGH

GitHub Enterprise Server < 3.12.14 - Improper Verification of Cryptographic Signature

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-23369. PoCs published by hakivvi, Arian91.

AI-analyzed exploit summary This exploit manipulates a SAML response by removing and reinserting signatures, duplicating assertion nodes, and using XML entity references to bypass signature validation. It targets a vulnerability in libxml2's handling of SAML assertions.

Description

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.

Exploits (2)

nomisec WORKING POC 38 stars
by hakivvi · poc
https://github.com/hakivvi/CVE-2025-23369

This exploit manipulates a SAML response by removing and reinserting signatures, duplicating assertion nodes, and using XML entity references to bypass signature validation. It targets a vulnerability in libxml2's handling of SAML assertions.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: libxml2 (SAML processing)
No auth needed
Prerequisites: A valid SAML response file · Target NameID value
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Arian91 · poc
https://github.com/Arian91/CVE-2025-23369_SAML_bypass

This PoC exploits CVE-2025-23369, a SAML authentication bypass vulnerability. It manipulates SAML responses by removing signatures, modifying IDs, and injecting XML entities to bypass authentication checks.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SAML-based authentication systems (specific version not specified)
No auth needed
Prerequisites: Valid SAML response file · Target NameID value
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0154
EPSS Percentile 71.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-347
Status published
Products (1)
github/enterprise_server < 3.12.14
Published Jan 21, 2025
Tracked Since Feb 18, 2026