CVE-2025-6600 is a medium-severity vulnerability affecting GitHub Enterprise Server version 3.17.0. The issue involves the exposure of sensitive information, specifically the names of private repositories within an organization. The vulnerability arises from improper access control in the Search API endpoint, which can be exploited by an attacker possessing a user-to-server token with no scopes. However, exploitation requires an organization administrator to have installed a malicious GitHub App in the organization's repositories, which acts as a prerequisite for the attack. Once these conditions are met, the attacker can leverage the Search API to disclose private repository names, violating confidentiality. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It was responsibly disclosed through the GitHub Bug Bounty program and addressed in GitHub Enterprise Server version 3.17.2. The CVSS v4.0 base score is 6.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, no user interaction, and low impact on confidentiality only. There are no known exploits in the wild at the time of publication.

For European organizations using GitHub Enterprise Server 3.17.0, this vulnerability poses a risk to the confidentiality of private repository metadata. Disclosure of private repository names could aid attackers in reconnaissance activities, potentially leading to targeted attacks or social engineering campaigns. Although the vulnerability does not directly expose repository contents or allow code execution, the leakage of repository names can reveal sensitive project information, intellectual property interests, or strategic initiatives. This could impact organizations in sectors such as finance, technology, defense, and critical infrastructure, where confidentiality of development projects is paramount. Additionally, the prerequisite of installing a malicious GitHub App means that insider threats or compromised administrators could facilitate exploitation, increasing risk in environments with less stringent app vetting processes. The absence of known exploits reduces immediate risk, but organizations should act promptly to mitigate potential future attacks.

European organizations should upgrade GitHub Enterprise Server instances from version 3.17.0 to 3.17.2 or later, where the vulnerability is patched. Administrators must enforce strict controls and vetting procedures for GitHub Apps installation, limiting installation rights to trusted personnel only. Implement monitoring and auditing of GitHub App installations and API usage to detect anomalous behavior indicative of exploitation attempts. Employ the principle of least privilege for tokens and API access, ensuring tokens have minimal scopes and are rotated regularly. Additionally, organizations should conduct internal security awareness training for administrators about the risks of installing untrusted applications. Network-level controls can be applied to restrict access to the GitHub Enterprise Server API endpoints to authorized IP ranges. Finally, maintain an incident response plan that includes procedures for handling suspected compromise of GitHub environments.