GitLab Releases Critical Security Updates to Fix Vulnerabilities

GitLab Releases Critical Security Updates to Fix Vulnerabilities

Posted on By CWS

GitLab has released essential security patches for its Community Edition (CE) and Enterprise Edition (EE) to tackle several high-severity vulnerabilities. These updates, now available in versions 18.8.4, 18.7.4, and 18.6.6, are designed to prevent potential server crashes, data theft, and user session hijacking.

Urgent Updates for GitLab Instances

Security specialists are advising administrators of self-hosted GitLab instances to apply these updates without delay, as the GitLab.com platform has already been secured. The most critical flaw, identified as CVE-2025-7659 with a CVSS score of 8.0, resides in the Web IDE. This vulnerability results from insufficient validation, allowing unauthorized access to sensitive data.

An attacker without authentication could exploit this weakness to gain access to tokens and view private repositories. This poses a significant risk to data integrity and confidentiality within affected systems.

Denial-of-Service Vulnerabilities Addressed

Additionally, the update addresses two serious Denial-of-Service (DoS) vulnerabilities. One, labeled CVE-2025-8099 (CVSS 7.5), involves service disruption via repetitive GraphQL queries. The other, CVE-2026-0958 (CVSS 7.5), allows attackers to overwhelm server resources by bypassing JSON validation processes.

These vulnerabilities could potentially render systems inoperable, emphasizing the need for immediate action to apply the patches and secure operations.

Cross-Site Scripting and Other Fixes

GitLab’s update also tackles CVE-2025-14560 (CVSS 7.3), a Cross-Site Scripting (XSS) issue within the Code Flow feature. This flaw enables malicious scripts to be injected into webpages, potentially allowing attackers to execute actions on behalf of unsuspecting users.

The update not only addresses these critical flaws but also resolves several medium-severity issues, such as Server-Side Request Forgery (SSRF) and HTML injection vulnerabilities. Administrators should be prepared for potential downtime during single-node instance upgrades due to necessary database migrations.

GitLab strongly encourages all users of affected versions to update to the latest release immediately to safeguard their environments. Keep informed by following us on Google News, LinkedIn, and X for ongoing cybersecurity updates.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

5 Common Back-to-School Online Scams Powered Using AI and How to Avoid Them 5 Common Back-to-School Online Scams Powered Using AI and How to Avoid Them Cyber Security News
Salat Stealer Exfiltrates Browser Credentials Via Sophisticated C2 Infrastructure Salat Stealer Exfiltrates Browser Credentials Via Sophisticated C2 Infrastructure Cyber Security News
Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Cyber Security News
Google Forms Exploited in New PureHVNC Malware Attack Google Forms Exploited in New PureHVNC Malware Attack Cyber Security News
Microsoft Introduces Researcher in Microsoft 365 Copilot, a Secure Virtual Assistant for Your Computer Microsoft Introduces Researcher in Microsoft 365 Copilot, a Secure Virtual Assistant for Your Computer Cyber Security News
New Technique Uncovered To Exploit Linux Kernel Use-After-Free Vulnerability New Technique Uncovered To Exploit Linux Kernel Use-After-Free Vulnerability Cyber Security News