A collection of essential safety vulnerabilities throughout GitLab Neighborhood Version (CE) and Enterprise Version (EE) platforms that would allow attackers to attain full account takeover and compromise complete growth infrastructures.
The corporate launched emergency patch variations 18.0.2, 17.11.4, and 17.10.8 to deal with ten distinct safety flaws, with a number of carrying high-severity CVSS scores above 8.0.
These vulnerabilities have an effect on hundreds of thousands of GitLab installations worldwide and pose important dangers to organizations’ supply code repositories, CI/CD pipelines, and delicate growth information.
Account Takeover Vulnerabilities
Probably the most extreme vulnerability, CVE-2025-4278, presents an HTML injection flaw with a CVSS rating of 8.7 that would enable attackers to attain full account takeover by injecting malicious code into GitLab’s search performance.
Safety researcher joaxcar found this essential flaw by GitLab’s HackerOne bug bounty program, affecting all GitLab CE/EE variations beginning with 18.0 earlier than 18.0.2.
Complementing this risk, CVE-2025-2254 represents a cross-site scripting (XSS) vulnerability with an similar CVSS rating of 8.7.
This flaw permits attackers to execute malicious scripts throughout the snippet viewer, permitting them to impersonate legit customers and carry out unauthorized actions inside their safety context.
The vulnerability impacts GitLab CE/EE variations from 17.9 earlier than 17.10.8, 17.11 earlier than 17.11.4, and 18.0 earlier than 18.0.2, demonstrating the widespread nature of those safety gaps.
CI/CD DoS Assaults
GitLab Final EE prospects face a further high-severity risk by CVE-2025-5121, a lacking authorization vulnerability with a CVSS rating of 8.5.
The flaw may enable authenticated attackers to inject malicious CI/CD jobs into all future pipelines throughout any venture inside a GitLab Final occasion.
The vulnerability impacts GitLab Final EE variations from 17.11 earlier than 17.11.4 and 18.0 earlier than 18.0.2, probably compromising complete software program growth and deployment processes.
A number of denial-of-service vulnerabilities compound these dangers, together with CVE-2025-0673 (CVSS 7.5), which permits attackers to set off infinite redirect loops, inflicting server reminiscence exhaustion.
Extra DoS vectors embrace CVE-2025-1516 and CVE-2025-1478, exploiting unbounded webhook token names and board names, respectively, each carrying CVSS scores of 6.5.
These vulnerabilities have an effect on GitLab installations courting again to variations 8.7 and eight.13, indicating long-standing safety weaknesses.
Quick Patching Required
GitLab strongly recommends fast upgrades to the newest patch variations for all self-managed installations, emphasizing that GitLab.com has already applied the safety fixes.
The vulnerabilities span a number of deployment sorts, together with Omnibus, supply code installations, and Helm charts, requiring complete remediation efforts throughout numerous infrastructure configurations.
Organizations ought to prioritize upgrading affected methods instantly, as GitLab follows a accountable disclosure coverage that makes vulnerability particulars public 30 days after patch launch.
The corporate maintains that every one customer-facing methods and information internet hosting environments should adhere to the very best safety requirements, making these patches essential for sustaining safe growth environments.
Safety groups ought to implement these updates throughout the subsequent out there upkeep window to stop potential exploitation of those critical vulnerabilities.
Dwell Credential Theft Assault Unmask & Instantaneous Protection – Free Webinar
