A critical vulnerability allowing remote code execution was identified using an AI model and quickly patched.
GitHub employees resolved a critical remote code execution vulnerability in under six hours last month. Wiz Research utilized AI models to detect a flaw in GitHub’s internal git infrastructure, potentially giving attackers access to numerous public and private code repositories.
“Our security team swiftly began verifying the bug bounty report. In 40 minutes, we replicated the vulnerability and confirmed its severity internally,” explains Alexis Wales, GitHub’s chief information security officer. “This pressing issue demanded immediate attention.”
GitHub’s engineering team devised a solution and implemented it slightly over an hour after pinpointing the root cause, safeguarding GitHub.com and GitHub Enterprise Server. “Within two hours, we validated the finding, deployed a fix to github.com, and started a forensic investigation, concluding that no exploitation occurred,” says Wales. Thus, the issue was remedied within six hours of the report from Wiz.
Wiz reported discovering the vulnerability “using AI,” although the specific AI model used is unclear. “Remarkably, this represents one of the first critical vulnerabilities uncovered in closed-source binaries via AI, signifying a shift in how such issues are located,” notes Sagi Tzadik, a security researcher at Wiz.
Despite GitHub’s rapid reaction allowing a fix deployment in mere hours, Wiz cautions that the rare vulnerability was “remarkably simple to exploit,” despite GitHub’s complex underlying system. “A finding of this magnitude and seriousness is uncommon, earning one of the highest rewards in our Bug Bounty program, and reminds us that impactful security research stems from skilled researchers who know how to pose the right questions,” states Wales.
The revelation of a significant vulnerability in GitHub emerges shortly after GitHub experienced a major outage that inadvertently reverted previously merged commits for some users. GitHub also faced other outages recently, indicating an ongoing trend for the service. Concerns about GitHub’s reliability were highlighted in reports, with one GitHub employee stating, “the company is collapsing, both in critically bad outages tarnishing the company’s reputation and in a leadership exodus.”