Wiz Research found that push-option values weren’t sanitized before being written into the internal X-Stat header. Any authenticated user with push access could execute commands as the git user on backend storage nodes, reading or writing millions of repos belonging to other users. GitHub deployed a fix within two hours of validation. Surfaced by an AI-assisted research workflow.
← Findings
`git push` command injection on GitHub.com and Enterprise
Wiz Research found push-option values weren't sanitized before being written into the internal X-Stat header. Any authenticated user with push access could execute commands as the git user.