CVE-2025-11892 is a DOM-based cross-site scripting (XSS) vulnerability classified under CWE-79, found in GitHub Enterprise Server's Issues search label filter functionality. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and executed in the context of the victim's browser. An attacker with access to the target GitHub Enterprise Server instance can craft a specially designed URL containing malicious payloads in the label filter parameter. If a user operating in sudo mode clicks this link, the injected script executes with elevated privileges, potentially enabling unauthorized workflow triggers and privilege escalation. This attack vector requires no prior authentication but depends on social engineering to convince a privileged user to interact with the malicious link. The vulnerability affects all GitHub Enterprise Server versions before 3.18.1, 3.17.7, 3.16.10, 3.15.14, and 3.14.19. The CVSS 4.0 score of 8.6 reflects the high impact on confidentiality and integrity due to the ability to execute arbitrary scripts and escalate privileges, combined with the low attack complexity and no requirement for authentication. Although no exploits have been observed in the wild, the vulnerability poses a significant risk given the critical nature of GitHub Enterprise Server in managing source code and workflows in enterprise environments.

For European organizations, this vulnerability can lead to unauthorized execution of workflows, privilege escalation, and potential compromise of sensitive source code repositories and CI/CD pipelines. The exploitation could result in data leakage, insertion of malicious code into repositories, disruption of development processes, and loss of trust in software integrity. Organizations relying heavily on GitHub Enterprise Server for software development and deployment are particularly vulnerable, as attackers could manipulate workflows to introduce backdoors or disrupt operations. The requirement for user interaction with a malicious link means targeted phishing or social engineering campaigns could be effective, especially against privileged users operating in sudo mode. The impact extends to confidentiality, integrity, and availability of critical development infrastructure, potentially affecting compliance with European data protection regulations and increasing the risk of intellectual property theft.

European organizations should immediately upgrade GitHub Enterprise Server instances to versions 3.18.1, 3.17.7, 3.16.10, 3.15.14, or 3.14.19 or later, where the vulnerability is patched. Implement strict access controls and minimize the number of users operating in sudo mode to reduce the attack surface. Enforce security awareness training focused on phishing and social engineering risks, particularly targeting privileged users. Utilize web filtering and email security solutions to detect and block malicious URLs that could exploit this vulnerability. Monitor GitHub Enterprise Server logs for unusual workflow triggers or access patterns indicative of exploitation attempts. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of XSS attacks. Regularly audit and review workflow configurations to detect unauthorized changes. Additionally, isolate critical development environments and restrict external link access where feasible to limit exposure.