A critical DOM-based Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-11892, has been uncovered in GitHub Enterprise Server, posing a significant risk of privilege escalation and unauthorized workflow triggers. The flaw affects all versions released before specific updates and carries a CVSS 4.0 severity score of HIGH, prompting an urgent call for administrators to patch their systems.
The vulnerability, discovered by security researcher André Storfjord Kristiansen, lurks within the Issues search functionality’s label filter. It stems from an improper handling of input, allowing a malicious actor to inject harmful scripts into the system. According to GitHub, the issue is categorized under CWE-79: Improper Neutralization of Input During Web Page Generation (XSS).
Exploiting this flaw requires a multi-step attack. First, an attacker needs existing access to the target GitHub Enterprise Server instance. They must then trick a user operating in sudo mode into clicking a specially crafted malicious link. Once clicked, this link can trigger actions that require elevated privileges, potentially leading to significant consequences like data breaches, unauthorized code commits, or disruptions to development pipelines.
While GitHub has not yet detailed the full scope of “unauthorized workflow triggers,” the ability to escalate privileges within an enterprise Git environment is a severe concern for any organization relying on the platform for code management and development.
Immediate Action: Update Your Server
To mitigate this risk, GitHub strongly advises users to update their GitHub Enterprise Server instances without delay. The vulnerability has been addressed in the following versions:
- 3.18.1 and later
- 3.17.7 (for the 3.17 branch)
- 3.16.10 (for the 3.16 branch)
- 3.15.14 (for the 3.15 branch)
- 3.14.19 (for the 3.14 branch)
Beyond technical patches, user education remains a crucial defense. Organizations should emphasize the importance of vigilance against social engineering tactics and suspicious links. This incident serves as a fresh reminder that even robust enterprise platforms require continuous monitoring and prompt updates to safeguard against evolving cyber threats.