What vulnerabilities has GitLab addressed in its latest security updates?

GitLab has released security updates for multiple high-severity vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including 4 critical/high-severity vulnerabilities and 6 medium-severity vulnerabilities affecting various components from search functionality to CI/CD pipelines.

What are the most critical GitLab vulnerabilities?

The most critical vulnerabilities include CVE-2025-4278 (CVSS 8.7) for HTML injection allowing account takeover, CVE-2025-2254 (CVSS 8.7) for cross-site scripting in snippet viewer enabling user impersonation, CVE-2025-5121 (CVSS 8.5) for missing authorization allowing malicious CI/CD job injection in GitLab Ultimate EE, and CVE-2025-0673 (CVSS 7.5) for denial of service through infinite redirect loops.

How does the GitLab HTML injection vulnerability work?

CVE-2025-4278 is an HTML injection vulnerability with CVSS score 8.7 that allows account takeover through malicious code injection in search functionality. This vulnerability impacts all GitLab CE/EE versions starting with 18.0 before 18.0.2.

What is the CI/CD pipeline injection vulnerability in GitLab?

CVE-2025-5121 (CVSS 8.5) is a missing authorization issue in GitLab Ultimate EE that allows malicious CI/CD job injection. This vulnerability is limited to GitLab Ultimate EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2, potentially allowing attackers to inject malicious code into CI/CD pipelines.

What denial of service vulnerabilities affect GitLab?

Multiple denial of service vulnerabilities include CVE-2025-0673 (CVSS 7.5) causing infinite redirect loops and memory exhaustion, CVE-2025-1516 (CVSS 6.5) via unbounded webhook token names, CVE-2025-1478 (CVSS 6.5) via unbounded board names, and CVE-2025-5996 (CVSS 6.5) via uncontrolled HTTP response processing.

Which GitLab versions are affected by these vulnerabilities?

The vulnerabilities affect multiple GitLab versions, with some dating back several years. The HTML injection vulnerability affects versions starting with 18.0 before 18.0.2, the cross-site scripting issue affects versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, while the CI/CD pipeline injection affects GitLab Ultimate EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2.

What patches are available for the GitLab vulnerabilities?

GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both Community Edition and Enterprise Edition to address these security flaws. Administrators are strongly urged to upgrade immediately to prevent potential exploitation.

What are the potential impacts of these GitLab vulnerabilities?

The vulnerabilities could enable serious attacks including account takeover through HTML injection, unauthorized user impersonation via cross-site scripting, malicious code injection into CI/CD pipelines, denial of service attacks causing system outages, information disclosure allowing unauthorized repository access, and bypass of security controls like IP restrictions.

Advisory

GitLab patches multiple account takeover and injection vulnerabilities

published: June 12, 2025

Take action: If you are running self-managed GitLab installations, plan a quick patch to versions 18.0.2, 17.11.4, or 17.10.8. There are three near-critical flaws, and GitLab is by it's nature open to multiple users so the risk is not trivial.

Learn More

GitLab has released security updates for multiple high-severity vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE).

Critical and High-Severity Vulnerabilities:

CVE-2025-4278 (CVSS score 8.7) - HTML injection vulnerability allowing account takeover through malicious code injection in search functionality
CVE-2025-2254 (CVSS score 8.7) - Cross-site scripting vulnerability in snippet viewer enabling unauthorized user impersonation
CVE-2025-5121 (CVSS score 8.5) - Missing authorization issue in GitLab Ultimate EE allowing malicious CI/CD job injection
CVE-2025-0673 (CVSS score 7.5) - Denial of service vulnerability through infinite redirect loops causing memory exhaustion

Medium-Severity Vulnerabilities:

CVE-2025-1516 (CVSS score 6.5) - Denial of service via unbounded webhook token names
CVE-2025-1478 (CVSS score 6.5) - Denial of service via unbounded board names
CVE-2025-5996 (CVSS score 6.5) - Denial of service via uncontrolled HTTP response processing
CVE-2024-9512 (CVSS score 5.3) - Information disclosure allowing unauthorized repository cloning
CVE-2025-5195 (CVSS score 4.3) - Information disclosure via authorization bypass affecting compliance frameworks
CVE-2025-5982 (CVSS score 3.7) - Group IP restriction bypass enabling access to sensitive information

The vulnerabilities affect multiple GitLab versions, with some dating back several years.

The HTML injection vulnerability (CVE-2025-4278) impacts all GitLab CE/EE versions starting with 18.0 before 18.0.2,
The cross-site scripting issue (CVE-2025-2254) affects versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2.
The CI/CD pipeline injection vulnerability (CVE-2025-5121) is limited to GitLab Ultimate EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2.

The company released versions 18.0.2, 17.11.4, and 17.10.8 for both to address these security flaws, with administrators strongly urged to upgrade immediately to prevent potential exploitation.

GitLab strongly recommends that all self-managed GitLab installations be upgraded. GitLab.com is already running the patched version, while GitLab Dedicated customers do not need to take action.

GitLab patches multiple account takeover and injection vulnerabilities

Read More
NVIDIA Patches Multiple Flaws Including Critical RCE Vulnerability …
Critical vulnerability reported in llama-cpp-python can lead to …
Multiple critical vulnerabilities impacting LangChain generative AI framework
Gitlab reports unauthorized pipeline execution flaw, urges patching …
Critical remote code execution flaw reported in Anthropic's …