Crucial safety patches on December 10, 2025, addressing ten important vulnerabilities throughout its Group Version and Enterprise Version platforms.
GitLab has launched up to date variations 18.6.2, 18.5.4, and 18.4.6 to handle a number of high-severity safety points.
Excessive-Severity Threats Recognized
4 vulnerabilities obtained high-severity scores and require fast remediation.
The vulnerability panorama consists of 4 high-severity flaws, 5 medium-severity points, and one low-severity vulnerability.
4 of the important points contain cross-site scripting (XSS) assaults and improper encoding that would enable unauthorized actions on behalf of different customers.
CVE IDVulnerability TypeCVSS ScoreCVE-2025-12716Cross-site Scripting (XSS)8.7CVE-2025-8405Improper Encoding / HTML Injection8.7CVE-2025-12029Cross-site Scripting (XSS)8.0CVE-2025-12562Denial of Service (DoS)7.5CVE-2025-11984Authentication Bypass6.8CVE-2025-4097Denial of Service (DoS)6.5CVE-2025-14157Denial of Service (DoS)6.5CVE-2025-11247Information Disclosure4.3CVE-2025-13978Information Disclosure4.3CVE-2025-12734HTML Injection3.5
GitLab strongly recommends all self-managed installations improve instantly, as GitLab.com already runs the patched model.
Essentially the most extreme vulnerabilities embody a cross-site scripting flaw in Wiki performance and improper encoding in vulnerability studies, each with a CVSS rating of 8.7.
Moreover, an XSS vulnerability in Swagger UI (CVSS 8.0) and a GraphQL denial-of-service challenge (CVSS 7.5) pose important dangers.
The GraphQL vulnerability significantly issues unauthenticated attackers who can craft queries bypassing complexity limits to set off service disruptions.
An authentication bypass affecting WebAuthn two-factor-authentication customers poses a medium-severity risk. Enabling authenticated attackers to bypass safety controls.
Three denial-of-service vulnerabilities goal ExifTool processing, Commit API, and GraphQL endpoints, probably disrupting service availability.
Further points embody info disclosure via error messages and HTML injection in merge request titles.
Customers operating variations earlier than 18.4.6, 18.5.x earlier than 18.5.4, or 18.6.x earlier than 18.6.2 are weak to those exploits.
The patch consists of database migrations that will affect improve timelines. Single-node situations will expertise downtime throughout migration completion.
Correctly configured multi-node deployments can apply updates with out service interruption utilizing zero-downtime procedures.
Organizations ought to prioritize these updates as a part of common safety hygiene practices. GitLab Devoted prospects don’t require motion.
Further particulars concerning affected model ranges and particular patch notes can be found within the official GitLab launch documentation.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
