CVE-2025-13744
Unknown Unknown - Not Provided
Improper Input Neutralization in GitHub Enterprise Server Filter Enables Data Exfiltration

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc. (Products Only)

Description
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13744
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server 3.19.1
github enterprise_server 3.18.2
github enterprise_server 3.17.8
github enterprise_server 3.16.11
github enterprise_server 3.15.15
github enterprise_server 3.14.20
github enterprise_server to 3.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Neutralization of Input During Web Page Generation in GitHub Enterprise Server. It allows an attacker who has permission to create or modify names of milestones, issues, pull requests, or similar entities to inject attacker-controlled HTML into the Filter component (search) across GitHub. This malicious HTML can be rendered in a victim's browser, potentially enabling the attacker to exfiltrate sensitive information or execute code within the victim's browser. [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to execute malicious code within your browser when viewing content rendered by the vulnerable Filter component. This can lead to exfiltration of sensitive information and compromise of your data or session. The attacker must have permissions to create or modify certain entities, but once exploited, it can result in significant security risks including data leakage. [1]

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available resources for this vulnerability. However, administrators can use the command `/usr/local/share/enterprise/ghe-capture-trace-data` on standalone GitHub Enterprise Server instances to capture distributed tracing data for performance diagnostics, which might assist in investigating issues related to this vulnerability under GitHub Support guidance. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade GitHub Enterprise Server to version 3.19.1 or one of the fixed versions (3.18.2, 3.17.8, 3.16.11, 3.15.15, or 3.14.20) where the issue has been resolved. Additionally, review and reapply any custom firewall rules removed during the upgrade process, and follow any post-upgrade instructions such as running Elasticsearch search repair commands if applicable. [1]

Compliance Impact

This vulnerability allows attacker-controlled HTML to be rendered in GitHub Enterprise Server, which could be used to exfiltrate sensitive information. Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and leaks. Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by exposing sensitive data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart