The Skill Issue Institute is delighted to recognize Dr. Semicolon Injection (Class of 2022) for an elegant contribution to distributed version control research: proving that a single git push can, under the right institutional conditions, become a guided tour of someone else’s infrastructure.
The achievement, cataloged as CVE-2026-3854, affected GitHub’s internal git infrastructure across GitHub.com and GitHub Enterprise Server. Researchers discovered that user-supplied push options could flow into an internal X-Stat header without sufficient delimiter hygiene. Since that header used semicolons to separate security-critical fields, Dr. Injection’s work demonstrated the ancient academic principle that every delimiter is also a tiny door.
From there, the downstream services interpreted injected fields as trusted internal metadata. In GitHub Enterprise Server, that chain could bypass sandboxing around hook execution and run code as the git service user. On GitHub.com, the same class of issue reached shared storage nodes, where researchers confirmed that millions of public and private repositories belonging to other users and organizations were accessible from affected infrastructure. Our Tenancy Studies faculty describes this as “group work, but involuntary.”
The minimal prerequisite was especially inspiring. Attackers did not need a mysterious supply-chain implant, a compromised maintainer, or a suspiciously enthusiastic npm package with eleven weekly downloads. They needed authenticated push access to a repository, including one they controlled themselves, and a platform willing to treat certain pieces of punctuation as staff.
“Most developers see git push as a way to send code to a remote,” Dr. Injection explained during our Distinguished Separator Lecture. “I saw it as a chance to ask whether the remote had emotionally processed its input parsing strategy.”
GitHub’s response was unusually swift. The report arrived through the Bug Bounty program on March 4, 2026; GitHub validated the issue, deployed a fix to GitHub.com in under two hours, released GitHub Enterprise Server patches, and reported that its forensic investigation found no exploitation beyond researcher testing. The Institute commends this responsible remediation while noting that it does make the incident less convenient for our Advanced Persistence seminar.
The self-hosted story remained more educational. At public disclosure, researchers reported that a large majority of observed GitHub Enterprise Server instances were still vulnerable, reminding administrators everywhere that receiving a patch and applying a patch are two distinct capstone projects.
Dr. Injection’s work now anchors a new module in our Master’s in Git Conflict Resolution: when an internal protocol and user input disagree about who owns a semicolon, production gets to decide.