CVE-2025-13744
Improper Input Neutralization in GitHub Enterprise Server Filter Enables Data Exfiltration
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | 3.19.1 |
| github | enterprise_server | 3.18.2 |
| github | enterprise_server | 3.17.8 |
| github | enterprise_server | 3.16.11 |
| github | enterprise_server | 3.15.15 |
| github | enterprise_server | 3.14.20 |
| github | enterprise_server | to 3.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attacker-controlled HTML to be rendered in GitHub Enterprise Server, which could be used to exfiltrate sensitive information. Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and leaks. Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by exposing sensitive data. [1]
Can you explain this vulnerability to me?
This vulnerability is an Improper Neutralization of Input During Web Page Generation in GitHub Enterprise Server. It allows an attacker who has permission to create or modify names of milestones, issues, pull requests, or similar entities to inject attacker-controlled HTML into the Filter component (search) across GitHub. This malicious HTML can be rendered in a victim's browser, potentially enabling the attacker to exfiltrate sensitive information or execute code within the victim's browser. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to execute malicious code within your browser when viewing content rendered by the vulnerable Filter component. This can lead to exfiltration of sensitive information and compromise of your data or session. The attacker must have permissions to create or modify certain entities, but once exploited, it can result in significant security risks including data leakage. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided in the available resources for this vulnerability. However, administrators can use the command `/usr/local/share/enterprise/ghe-capture-trace-data` on standalone GitHub Enterprise Server instances to capture distributed tracing data for performance diagnostics, which might assist in investigating issues related to this vulnerability under GitHub Support guidance. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade GitHub Enterprise Server to version 3.19.1 or one of the fixed versions (3.18.2, 3.17.8, 3.16.11, 3.15.15, or 3.14.20) where the issue has been resolved. Additionally, review and reapply any custom firewall rules removed during the upgrade process, and follow any post-upgrade instructions such as running Elasticsearch search repair commands if applicable. [1]