Critical security patches on December 10, 2025, addressing ten significant vulnerabilities across its Community Edition and Enterprise Edition platforms.
GitLab has released updated versions 18.6.2, 18.5.4, and 18.4.6 to address multiple high-severity security issues.
High-Severity Threats Identified
Four vulnerabilities received high-severity ratings and require immediate remediation.
The vulnerability landscape includes four high-severity flaws, five medium-severity issues, and one low-severity vulnerability.
Four of the critical issues involve cross-site scripting (XSS) attacks and improper encoding that could allow unauthorized actions on behalf of other users.
| CVE ID | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2025-12716 | Cross-site Scripting (XSS) | 8.7 |
| CVE-2025-8405 | Improper Encoding / HTML Injection | 8.7 |
| CVE-2025-12029 | Cross-site Scripting (XSS) | 8.0 |
| CVE-2025-12562 | Denial of Service (DoS) | 7.5 |
| CVE-2025-11984 | Authentication Bypass | 6.8 |
| CVE-2025-4097 | Denial of Service (DoS) | 6.5 |
| CVE-2025-14157 | Denial of Service (DoS) | 6.5 |
| CVE-2025-11247 | Information Disclosure | 4.3 |
| CVE-2025-13978 | Information Disclosure | 4.3 |
| CVE-2025-12734 | HTML Injection | 3.5 |
GitLab strongly recommends all self-managed installations upgrade immediately, as GitLab.com already runs the patched version.
The most severe vulnerabilities include a cross-site scripting flaw in Wiki functionality and improper encoding in vulnerability reports, both with a CVSS score of 8.7.
Additionally, an XSS vulnerability in Swagger UI (CVSS 8.0) and a GraphQL denial-of-service issue (CVSS 7.5) pose significant risks.
The GraphQL vulnerability particularly concerns unauthenticated attackers who can craft queries bypassing complexity limits to trigger service disruptions.
An authentication bypass affecting WebAuthn two-factor-authentication users poses a medium-severity threat. Enabling authenticated attackers to circumvent security controls.
Three denial-of-service vulnerabilities target ExifTool processing, Commit API, and GraphQL endpoints, potentially disrupting service availability.
Additional issues include information disclosure through error messages and HTML injection in merge request titles.
Users running versions before 18.4.6, 18.5.x before 18.5.4, or 18.6.x before 18.6.2 are vulnerable to these exploits.
The patch includes database migrations that may impact upgrade timelines. Single-node instances will experience downtime during migration completion.
Properly configured multi-node deployments can apply updates without service interruption using zero-downtime procedures.
Organizations should prioritize these updates as part of regular security hygiene practices. GitLab Dedicated customers do not require action.
Additional details regarding affected version ranges and specific patch notes are available in the official GitLab release documentation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
