GitLab has released emergency security patches addressing multiple critical vulnerabilities that could enable attackers to perform account takeovers and execute stored cross-site scripting (XSS) attacks.
The patches were released on August 13, 2025, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) across versions 18.2.2, 18.1.4, and 18.0.6.
Key Takeaways
1. GitLab patched three high-severity flaws.
2. Update immediately to versions 18.0.6, 18.1.4, or 18.2.2 to prevent exploitation.
3. Affects all GitLab editions with some vulnerabilities dating back to version 14.2.
Cross-Site Scripting Vulnerabilities
Three high-severity XSS vulnerabilities with CVSS scores of 8.7 pose significant threats to GitLab users.
CVE-2025-6186 represents the most critical flaw, allowing authenticated users to achieve account takeover by injecting malicious HTML content into work item names. This vulnerability affects GitLab CE/EE versions from 18.1 before 18.1.4 and 18.2 before 18.2.2.
CVE-2025-7734 impacts the blob viewer component, enabling attackers to execute actions on behalf of users by injecting malicious content under certain conditions.
This vulnerability affects all versions from 14.2 before the patched releases. CVE-2025-7739 specifically targets scoped label descriptions, allowing authenticated users to achieve stored XSS by injecting malicious HTML content. This flaw affects only GitLab version 18.2 before 18.2.2.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N indicates these vulnerabilities can be exploited over networks with low attack complexity, requiring only low privileges and user interaction.
Permission and Authorization Vulnerabilities
CVE-2025-8094 addresses an improper handling of permissions issue in the project API, with a CVSS score of 7.7.
This vulnerability could allow authenticated users with maintainer privileges to cause denial of service to other users’ CI/CD pipelines by manipulating shared infrastructure resources beyond their intended access level.
Several medium-severity vulnerabilities compound the security risks, including CVE-2024-12303 for incorrect privilege assignment in delete issues operations and CVE-2024-10219 for incorrect authorization in jobs API that could allow bypassing access controls to download private artifacts.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-7734 | Cross-site scripting issue in blob viewer impacts GitLab CE/EE | 8.7 | High |
| CVE-2025-7739 | Cross-site scripting issue in labels impacts GitLab CE/EE | 8.7 | High |
| CVE-2025-6186 | Cross-site scripting issue in Workitem impacts GitLab CE/EE | 8.7 | High |
| CVE-2025-8094 | Improper Handling of Permissions issue in project API impacts GitLab CE/EE | 7.7 | High |
| CVE-2024-12303 | Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE | 6.7 | Medium |
| CVE-2025-2614 | Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE | 6.5 | Medium |
| CVE-2024-10219 | Incorrect Authorization issue in jobs API impacts GitLab CE/EE | 6.5 | Medium |
| CVE-2025-8770 | Authorization issue in Merge request approval policy impacts GitLab EE | 6.5 | Medium |
| CVE-2025-2937 | Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE | 6.5 | Medium |
| CVE-2025-1477 | Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE | 6.5 | Medium |
| CVE-2025-5819 | Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE | 5.0 | Medium |
| CVE-2025-2498 | Insufficient Access Control issue in IP Restriction impacts GitLab EE | 3.1 | Low |
Mitigations
GitLab strongly recommends immediate upgrades to the latest patched versions for all self-managed installations.
The vulnerabilities were discovered through GitLab’s HackerOne bug bounty program by security researchers, including joaxcar, yvvdwf, abdelrahman_maged, and others.
GitLab.com instances are already running patched versions, while GitLab Dedicated customers require no action.
The patches include both regular migrations and post-deploy migrations that may impact upgrade processes, particularly for single-node instances, which will experience downtime during upgrades.
Organizations should prioritize these updates as the combination of account takeover capabilities and XSS exploitation vectors presents significant security risks to development workflows and sensitive code repositories.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
