Volerion logoVolerion
Volerion logoVolerion

GitHub Enterprise Server Denial-of-Service Vulnerability via Nested JSON Payloads

Vulnerability

A denial-of-service vulnerability exists in GitHub Enterprise Server versions prior to 3.21. An unauthenticated attacker can disrupt service by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parses user-controlled JSON request bodies without size or depth limits, leading to excessive CPU and memory consumption. This vulnerability was reported through the GitHub Bug Bounty program.

Impact

Exploitation of this vulnerability causes a denial-of-service condition on the affected GitHub Enterprise Server instance, leading to increased resource consumption and potential service disruptions.

Remediation

To address this vulnerability, GitHub Enterprise Server administrators should upgrade to version 3.20.2 or later. Instructions for upgrading can be found in the GitHub Enterprise Server release notes.

Added: May 7, 2026, 10:37 PM
Updated: May 7, 2026, 10:37 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
2.5
exploitability
7.4
remediation
8.3
relevance
7.7
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.