GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks

GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.

These patches, detailed in the release notes for versions 18.8.4, 18.7.4, and 18.6.6, resolve flaws that could allow attackers to steal access tokens, perform Denial of Service (DoS) attacks, or inject malicious scripts.

Critical Security Flaws Addressed

The most severe vulnerability patched in this release is CVE-2025-7659 (CVSS 8.0), an “Incomplete Validation” issue within the Web IDE.

This flaw could allow unauthenticated attackers to steal tokens and access private repositories, posing a significant risk to intellectual property and source code confidentiality.

Additionally, GitLab addressed two high-severity DoS vulnerabilities:

• CVE-2025-8099 (CVSS 7.5): A flaw in GraphQL introspection allowing repeated queries to crash the service.
• CVE-2026-0958 (CVSS 7.5): A middleware issue where bypassing JSON validation limits could lead to memory or CPU exhaustion.

Other high-risk patches include fixes for Cross-Site Scripting (XSS) in Code Flow (CVE-2025-14560) and HTML Injection in test case titles (CVE-2026-0595), both of which could enable attackers to execute unauthorized actions or inject malicious content.

GitLab strongly recommends that all self-managed installations upgrade to version 18.8.4, 18.7.4, or 18.6.6 immediately to mitigate these risks.

GitLab.com has already been patched, and no action is required for GitLab Dedicated customers.

Administrators should prioritize these updates given the potential for data theft and service disruption.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google