GitLab releases security patches for multiple Vulnerabilities
Take action: If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.
Learn More
GitLab has released security updates for both its Community Edition (CE) and Enterprise Edition (EE), addressing several high and medium-severity vulnerabilities.
Vulnerability summary
- CVE-2025-1763 (CVSS score 8.7) - Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives. It allows for cross-site-scripting attacks and content security policy bypass under specific conditions. Affects all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1
- CVE-2025-2443 (CVSS score 8.7) - Cross Site Scripting (XSS) in Maven dependency proxy through cache headers. It enables similar cross-site-scripting attacks as the previous vulnerability but through a different vector. Affects all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1
- CVE-2025-1908 (CVSS score 7.7) - Network Error Logging (NEL) Header Injection in Maven Dependency Proxy. It could allow attackers to track users' browsing activities, potentially leading to full account takeover. Affects all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1
- CVE-2025-0639 (CVSS score 6.5) - Denial of service (DOS) via issue preview. It could impact service availability through malicious use of the issue preview functionality. Affects all versions from 16.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1
- CVE-2024-12244 (CVSS score 4.3) - Unauthorized access to branch names when Repository assets are disabled. It allows users to view certain restricted project information even when related features are disables. Affects all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1
The patched versions are 17.11.1, 17.10.5, and 17.9.7
GitLab strongly recommends that all installations running affected versions be upgraded to the latest version as soon as possible. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action.
