Welcome to another story in the "Lessons Learned" series, where we discuss real-world vulnerabilities from the perspective of an application security engineer, focusing on the underlying root causes and the measures we can take to prevent similar issues in our applications. In today's story, we discuss a write-up showing how a missing input sanitization check on a git push option was enough to achieve remote code execution on GitHub's backend infrastructure and access millions of private repositories belonging to other customers. You can find the full write-up here . Impact of the Vulnerability A critical RCE (Remote Code Execution) vulnerability assigned CVSS 8.7, allowing any authenticated user to execute arbitrary commands on GitHub's backend storage nodes using nothing but a standard git push command. This allowed access to millions of private repositories.…