CVE-2025-3246: 
GitHub Enterprise Server vulnerability analysis and mitigation

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server version 3.16.1 that allowed cross-site scripting in GitHub Markdown when using $$..$$ math blocks. The vulnerability was discovered and reported through the GitHub Bug Bounty program and was fixed in version 3.16.2, released on April 17, 2025 (GitHub Release Notes).

The vulnerability allowed attackers to exploit improper input neutralization in GitHub's Markdown rendering system, specifically within math blocks denoted by $$..$$. The issue enabled the embedding of malicious HTML/CSS content, leading to cross-site scripting attacks. GitHub mitigated this by disallowing early escape of math blocks by dollar signs and improving math-rendered content escaping. The vulnerability has been assigned CVE-2025-3246 and received a HIGH severity rating (GitHub Release Notes).

The vulnerability could allow attackers to perform cross-site scripting attacks through specially crafted math blocks in Markdown content. This could potentially lead to the execution of malicious code in users' browsers when viewing affected content (GitHub Release Notes).

The vulnerability has been fixed in GitHub Enterprise Server version 3.16.2. Organizations running affected versions should upgrade to version 3.16.2 to receive the security fix. The patch implements improved escaping of math-rendered content and prevents early escape of math blocks by dollar signs (GitHub Release Notes).