CVE-2025-13744 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in GitHub Enterprise Server's Filter component responsible for search functionality. The flaw stems from improper neutralization of user-supplied input during web page generation, specifically in the rendering of names for milestones, issues, pull requests, or similar entities. An attacker with permissions to create or modify these entity names can inject malicious HTML or JavaScript code that is then executed in the context of other users viewing the affected pages. This can lead to unauthorized actions such as exfiltration of sensitive data, session hijacking, or other malicious activities. The vulnerability affects all GitHub Enterprise Server versions prior to 3.20, with fixes released in multiple patch versions starting from 3.14.20 up to 3.19.1. The CVSS 4.0 vector indicates the attack can be performed remotely over the network without authentication, with low complexity and no privileges required, but user interaction is needed (e.g., a victim viewing the malicious content). The impact on confidentiality is high, while integrity and availability impacts are low. No known active exploits have been reported, but the vulnerability was responsibly disclosed via GitHub's Bug Bounty program. This vulnerability highlights the risks of insufficient input sanitization in web applications, especially in collaborative platforms where user-generated content is prevalent.

For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk of sensitive information leakage and potential compromise of user sessions or credentials. Since GitHub Enterprise Server is widely used by software development teams for source code management and collaboration, exploitation could lead to exposure of proprietary code, internal project details, and confidential communications. The ability to inject malicious scripts could also facilitate lateral movement within networks if attackers leverage stolen credentials or session tokens. The requirement for attacker permissions to modify entity names limits the attack surface but does not eliminate risk, especially in environments with large user bases or insufficient access controls. The high CVSS score reflects the potential for impactful breaches if exploited. Additionally, the vulnerability could undermine trust in development pipelines and introduce risks to software supply chain integrity. European organizations with compliance obligations around data protection (e.g., GDPR) must consider the legal and reputational consequences of such breaches.

1. Immediately upgrade GitHub Enterprise Server to one of the patched versions: 3.19.1, 3.18.2, 3.17.8, 3.16.11, 3.15.15, or 3.14.20 or later. 2. Review and restrict permissions to create or modify milestone, issue, and pull request names to trusted users only, minimizing the risk of malicious input. 3. Implement strict input validation and sanitization policies on user-generated content within GitHub Enterprise Server, if customization is possible. 4. Monitor logs and audit trails for unusual activity related to entity name changes or search/filter usage that could indicate exploitation attempts. 5. Educate users about the risks of clicking on suspicious links or content within the GitHub environment to reduce the risk of social engineering. 6. Employ Content Security Policy (CSP) headers and other browser security mechanisms to limit the impact of potential XSS payloads. 7. Regularly review and update security configurations and conduct penetration testing focused on web application vulnerabilities in the development infrastructure.