CVE-2025-3246 – A cross-site scripting vulnerability in GitHub ... (How to Fix)

Q: What is the severity of CVE-2025-3246?

CVE-2025-3246 has a CVSS score of 7.6 (HIGH). A cross-site scripting vulnerability in GitHub Enterprise Server allows attackers to inject malicious scripts into math blocks using $$..$$ delimiters. This affects organizations running GitHub Enterprise Server version 3.16.1, requiring both access to the instance and privileged user interaction for exploitation.

📋 TL;DR

A cross-site scripting vulnerability in GitHub Enterprise Server allows attackers to inject malicious scripts into math blocks using $$..$$ delimiters. This affects organizations running GitHub Enterprise Server version 3.16.1, requiring both access to the instance and privileged user interaction for exploitation.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: Version 3.16.1 only

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with Markdown rendering enabled (default). Requires attacker access and user interaction.

📦 What is this software?

Enterprise Server by Github

View all CVEs affecting Enterprise Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged user executes malicious JavaScript leading to session hijacking, data theft, or administrative account compromise.

🟠

Likely Case

Targeted phishing campaign against privileged users leads to limited data exposure or account takeover.

🟢

If Mitigated

With proper access controls and user awareness, impact is limited to isolated incidents with minimal data exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to create malicious content and privileged user interaction to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.16.2

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Download version 3.16.2 from GitHub Enterprise. 3. Follow the upgrade procedure for your deployment method. 4. Restart services as required.

🔧 Temporary Workarounds

Disable Markdown rendering

all

Temporarily disable Markdown rendering for math blocks to prevent exploitation

Not applicable - configuration change via admin console

Restrict user content creation

all

Limit which users can create content with Markdown math blocks

Not applicable - policy/configuration change

🧯 If You Can't Patch

Implement strict content security policies to limit script execution
Increase monitoring for suspicious Markdown content and user interactions

🔍 How to Verify

Check if Vulnerable:

Check GitHub Enterprise Server version via admin console or SSH: cat /data/user/common/enterprise-version

Check Version:

cat /data/user/common/enterprise-version

Verify Fix Applied:

Confirm version is 3.16.2 or higher and test Markdown math block rendering

📡 Detection & Monitoring

Log Indicators:

Unusual Markdown content creation patterns
Multiple failed XSS attempts in audit logs

Network Indicators:

Suspicious JavaScript payloads in HTTP requests to Markdown endpoints

SIEM Query:

source="github_audit" AND (event="markdown.render" OR event="content.create") AND content CONTAINS "$$"

📊 Metadata

CVE ID: CVE-2025-3246

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.15% exploit probability (36th percentile)

Published: April 17, 2025

Last Updated: September 5, 2025

🔗 References

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3246, you might also want to check these: