Cross-Site Scripting Vulnerability in GitHub Enterprise Server
CVE-2025-3246

8.6HIGH

Key Information:

Vendor: Github
Status: Github Enterprise Server
Vendor: CVE Published:; 17 April 2025

What is CVE-2025-3246?

A vulnerability was identified in GitHub Enterprise Server that allows for cross-site scripting attacks through improperly neutralized input. Specifically, this issue pertains to the use of $$..$$ math blocks in GitHub Markdown. Attackers with access to the server may exploit this vulnerability to execute malicious scripts, but it requires privileged user interaction for exploitation. The vulnerability has been resolved in version 3.16.2 following a report through the GitHub Bug Bounty program.

Affected Version(s)

GitHub Enterprise Server 3.16 <= 3.16.1

References

https://docs.github.com/en/[email protected]/admin/r...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2025
Vulnerability Reserved
Apr 3, 2025

Credit

André Storfjord Kristiansen

Github

What is CVE-2025-3246?

Affected Version(s)

References

CVSS V4

Timeline

Credit