GitLab has launched emergency safety patches for a number of variations of its platform, addressing eight vulnerabilities that might allow arbitrary code execution and unauthorized entry in self-managed installations.
The up to date variations 18.7.1, 18.6.3, and 18.5.5 have been deployed to GitLab.com on January 7, 2026, with self-hosted clients strongly suggested to improve instantly.
Probably the most extreme vulnerability, CVE-2025-9222, impacts GitLab Neighborhood and Enterprise Editions and has a CVSS rating of 8.7.
This saved cross-site scripting (XSS) flaw in GitLab Flavored Markdown placeholders might permit authenticated attackers to execute malicious code inside victims’ browsers.
Impacted variations span from 18.2.2 by means of 18.7.0, affecting a broad vary of deployments. A second high-severity difficulty, CVE-2025-13761, impacts the Internet IDE part and carries a CVSS rating of 8.0.
This flaw permits attackers to execute malicious code by luring logged-in customers to malicious net pages, which might hijack periods and result in unauthorized entry to repositories.
Enterprise Version clients face extra dangers from CVE-2025-13772, a lacking authorization bug within the Duo Workflows API that permits authenticated customers to entry AI mannequin settings from unauthorized namespaces.
Found internally by GitLab engineer Jessie Younger, this flaw carries a CVSS rating of seven.1.
Extra Vulnerabilities and Influence
The safety replace additionally addresses medium-severity points, together with denial-of-service vulnerabilities in import performance (CVE-2025-10569).
Inadequate entry controls in GraphQL mutations that might permit unauthorized runner modifications (CVE-2025-11246).
A low-severity data disclosure bug in Mermaid diagram rendering (CVE-2025-3950) completes the patch set.
GitLab’s safety group emphasizes that each one deployment sorts, Omnibus packages, supply code installations, and Helm charts require quick updating.
Single-node cases will expertise downtime throughout upgrades on account of obligatory database migrations. On the identical time, multi-node deployments can obtain zero-downtime updates following correct procedures.
The vulnerabilities have been reported through GitLab’s HackerOne bug bounty program, with researcher yvvdwf credited with discovering the essential XSS flaw.
GitLab maintains a 30-day disclosure coverage, below which detailed difficulty experiences turn into public on its tracker after the patch launch.
Self-managed GitLab directors ought to seek the advice of the official replace documentation and subscribe to GitLab’s safety launch RSS feed for future patch notifications.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
