CVE-2025-6600: 
GitHub Enterprise Server vulnerability analysis and mitigation

An exposure of sensitive information vulnerability (CVE-2025-6600) was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. The vulnerability was discovered in GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The issue was reported through the GitHub Bug Bounty program (GitHub Release Notes, NVD).

The vulnerability could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. The CVSS v4.0 score assigned by GitHub is 6.3 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

If successfully exploited, this vulnerability would allow attackers to disclose the names of private repositories within an organization, potentially exposing sensitive information about the organization's private projects and internal structure (GitHub Release Notes).

The vulnerability has been patched in GitHub Enterprise Server version 3.17.2. Organizations running affected versions should upgrade to version 3.17.2 or later to address this security issue (GitHub Release Notes).