GitLab fixes critical security flaws in Community Edition (CE) and Enterprise Edition (EE)
Take action: If you are running GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. The vulnerabilities still require valid credentials, but those are not difficult to obtain. You need to patch these, the mitigation measures are not really helping, they may just slow down an external hacker to breach the user accounts.
Learn More
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) versions 17.7.7, 17.8.5, and 17.9.2, addressing multiple security vulnerabilities, including two critical flaws.
Vulnerability summary
- CVE-2025-25291 and CVE-2025-25292 (CVSS score 9.8): critical severity vulnerabilities affecting the ruby-saml library used by GitLab for SAML SSO authentication. They allow an authenticated attacker with access to a valid signed SAML document to impersonate another user within the same SAML Identity Provider (IdP) environment, leading to unauthorized access, data breaches, and privilege escalation.
- CVE-2025-27407 (CVSS score 9.0): remote code execution vulnerability in the Ruby graphql library that could allow an attacker with an authenticated user account to achieve remote code execution through the Direct Transfer feature (which is in beta stage and disabled by default).
Additional Vulnerabilities
- CVE-2025-1257 (CVSS score 6.5): Medium severity denial of service vulnerability in GitLab Approval Rules due to an unbounded field that could allow an attacker to cause a denial of service condition by manipulating specific API inputs.
- CVE-2024-13054 (CVSS score 5.7): Medium severity denial of service vulnerability that could allow an attacker to cause a system reboot under certain conditions.
- CVE-2024-12380 (CVSS score 4.4): Medium severity vulnerability where certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
- CVE-2025-0652 (CVSS score 4.3): Medium severity issue where internal notes in merge requests are emailed to non-members upon review submission, potentially allowing unauthorized users to access confidential information.
- CVE-2024-8402 (CVSS score 3.7): Low severity input validation issue in the Google Cloud IAM integration feature that could enable a Maintainer to introduce malicious code.
- CVE-2024-7296 (CVSS score 2.7): Low severity vulnerability that allowed a user with custom permission to approve pending membership requests beyond the maximum number of allowed users.
Affected Versions
All GitLab CE/EE versions before 17.7.7, 17.8.5, and 17.9.2 are affected by these vulnerabilities. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action as they will be notified once their instance has been patched.
For users who cannot immediately upgrade to a patched version, GitLab recommends the following temporary mitigations:
- Enable GitLab two-factor authentication for all user accounts on the GitLab self-managed instance (Note: Enabling identity provider multi-factor authentication does not mitigate the vulnerability)
- Disable the SAML two-factor bypass option in GitLab
- Require admin approval for automatically created new users by setting gitlab_rails['omniauth_block_auto_created_users'] = true
- Disable migration of groups and projects by direct transfer (disabled by default) to mitigate the remote code execution vulnerability
GitLab strongly recommends that all installations running affected versions be upgraded to one of the patched versions immediately. The company emphasizes the importance of maintaining good security hygiene and upgrading to the latest patch release for all supported versions.
