CVE-2025-11892 – This DOM-based XSS vulnerability in GitHub Ente... (How to Fix)

Q: What is the severity of CVE-2025-11892?

CVE-2025-11892 has a CVSS score of 9.6 (CRITICAL). This DOM-based XSS vulnerability in GitHub Enterprise Server allows attackers to execute malicious scripts when users click crafted links in Issues search label filters. It affects all GitHub Enterprise Server instances prior to specific patched versions and requires attacker access plus user interaction in sudo mode.

📋 TL;DR

This DOM-based XSS vulnerability in GitHub Enterprise Server allows attackers to execute malicious scripts when users click crafted links in Issues search label filters. It affects all GitHub Enterprise Server instances prior to specific patched versions and requires attacker access plus user interaction in sudo mode.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19

Operating Systems: All supported OS for GitHub Enterprise Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default configurations; requires attacker access to the instance and user interaction.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete privilege escalation allowing unauthorized workflow triggers, data exfiltration, and administrative control compromise.

🟠

Likely Case

Unauthorized workflow execution and limited privilege escalation within the compromised user's scope.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: MEDIUM - Requires attacker access to instance but can target external users.

🏢 Internal Only: HIGH - Internal attackers with access can exploit via social engineering.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker access to GitHub Enterprise Server instance and social engineering to trick users into clicking malicious links while in sudo mode.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.18.1, 3.17.7, 3.16.10, 3.15.14, or 3.14.19 depending on current version

Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Download appropriate patch version from GitHub Enterprise releases. 3. Apply update via management console or CLI. 4. Restart services as prompted.

🔧 Temporary Workarounds

Disable Issues search label filter

all

Temporarily disable the vulnerable feature until patching.

Requires administrative configuration changes in GitHub Enterprise settings

Restrict sudo mode access

all

Limit users who can enter sudo mode and reduce session durations.

Configure via GitHub Enterprise administrative settings

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Educate users about phishing risks and require MFA for sudo mode operations

🔍 How to Verify

Check if Vulnerable:

Check current version via GitHub Enterprise Server management console or SSH: cat /data/user/common/version-info.json

Check Version:

ssh admin@your-instance 'cat /data/user/common/version-info.json | grep version_string'

Verify Fix Applied:

Verify version is 3.18.1, 3.17.7, 3.16.10, 3.15.14, or 3.14.19 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual workflow triggers from unexpected users
Multiple failed sudo mode attempts followed by successful execution

Network Indicators:

Suspicious outbound connections following Issues search activities

SIEM Query:

source="github-enterprise" AND (event="workflow_trigger" OR event="sudo_mode") AND user NOT IN approved_users

📊 Metadata

CVE ID: CVE-2025-11892

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: November 10, 2025

Last Updated: December 8, 2025

🔗 References

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11892, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Issues search label filter

Restrict sudo mode access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities