GitLab has released essential security patches for its Community Edition (CE) and Enterprise Edition (EE) to tackle several high-severity vulnerabilities. These updates, now available in versions 18.8.4, 18.7.4, and 18.6.6, are designed to prevent potential server crashes, data theft, and user session hijacking.
Urgent Updates for GitLab Instances
Security specialists are advising administrators of self-hosted GitLab instances to apply these updates without delay, as the GitLab.com platform has already been secured. The most critical flaw, identified as CVE-2025-7659 with a CVSS score of 8.0, resides in the Web IDE. This vulnerability results from insufficient validation, allowing unauthorized access to sensitive data.
An attacker without authentication could exploit this weakness to gain access to tokens and view private repositories. This poses a significant risk to data integrity and confidentiality within affected systems.
Denial-of-Service Vulnerabilities Addressed
Additionally, the update addresses two serious Denial-of-Service (DoS) vulnerabilities. One, labeled CVE-2025-8099 (CVSS 7.5), involves service disruption via repetitive GraphQL queries. The other, CVE-2026-0958 (CVSS 7.5), allows attackers to overwhelm server resources by bypassing JSON validation processes.
These vulnerabilities could potentially render systems inoperable, emphasizing the need for immediate action to apply the patches and secure operations.
Cross-Site Scripting and Other Fixes
GitLab’s update also tackles CVE-2025-14560 (CVSS 7.3), a Cross-Site Scripting (XSS) issue within the Code Flow feature. This flaw enables malicious scripts to be injected into webpages, potentially allowing attackers to execute actions on behalf of unsuspecting users.
The update not only addresses these critical flaws but also resolves several medium-severity issues, such as Server-Side Request Forgery (SSRF) and HTML injection vulnerabilities. Administrators should be prepared for potential downtime during single-node instance upgrades due to necessary database migrations.
GitLab strongly encourages all users of affected versions to update to the latest release immediately to safeguard their environments. Keep informed by following us on Google News, LinkedIn, and X for ongoing cybersecurity updates.
