CVE-2025-13744
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in GitHub Enterprise Server's filter/search components that allows attackers with permission to create or modify certain entities (milestones, issues, pull requests) to inject malicious HTML. When exploited, this could lead to sensitive information exfiltration. All GitHub Enterprise Server instances prior to version 3.20 are affected.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, authentication tokens, or sensitive data from users who view maliciously crafted search/filter results, potentially leading to account compromise and data breaches.
Likely Case
Targeted attacks against specific users to steal credentials or session information through crafted milestone/issue names that appear in search results.
If Mitigated
With proper input validation and output encoding, the malicious HTML would be rendered harmless as plain text.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability was discovered through GitHub's bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.19.1, 3.18.2, 3.17.8, 3.16.11, 3.15.15, or 3.14.20
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patched version from GitHub Enterprise Server releases. 3. Follow the upgrade instructions for your specific version. 4. Restart the service after upgrade completion.
🔧 Temporary Workarounds
Restrict entity creation/modification permissions
allLimit who can create or modify milestones, issues, and pull requests to trusted users only.
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution from untrusted sources.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-controlled fields that appear in search/filter components.
- Monitor and audit all entity creation/modification activities, especially for suspicious HTML content in names/titles.
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the management console or SSH into the instance and run 'ghe-version'.Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
Verify the version is 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2, 3.19.1, or 3.20+ after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript content in milestone, issue, or pull request names
- Multiple failed attempts to inject script tags in entity names
Network Indicators:
- Unexpected outbound connections from user browsers to external domains after viewing search results
SIEM Query:
source="github-enterprise" AND (message:"<script>" OR message:"javascript:" OR message:"onerror=" OR message:"onload=")🔗 References
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8
- https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2
- https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1
