GitLab Vulnerabilities Allow Execution of Malicious Actions via Content Injection
GitLab has released critical security patches addressing four vulnerabilities, including a high-severity cross-site scripting flaw that could enable attackers to execute malicious actions on behalf of users through content injection.
The company has issued patch releases 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE), urging immediate upgrades for all self-managed installations.
Critical Cross-Site Scripting Vulnerability Discovered
The most severe vulnerability, CVE-2025-6948, represents a significant security risk with a CVSS score of 8.7. This cross-site scripting issue affects all GitLab CE/EE versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
The vulnerability could allow successful attackers to execute actions on behalf of users by injecting malicious content under certain conditions.
CVE | Severity | CVSS Score | Affected Versions | Impact |
CVE-2025-6948 | High | 8.7 | 17.11-17.11.5, 18.0-18.0.3, 18.1-18.1.1 | Cross-site scripting enabling malicious action execution |
CVE-2025-3396 | Medium | 4.3 | 13.3-17.11.5, 18.0-18.0.3, 18.1-18.1.1 | Forking restriction bypass via API manipulation |
CVE-2025-4972 | Low | 2.7 | 18.0-18.0.3, 18.1-18.1.1 | User invitation restriction bypass |
CVE-2025-6168 | Low | 2.7 | 18.0-18.0.3, 18.1-18.1.1 | User invitation restriction bypass via API |
Security researcher yvvdwf discovered this critical flaw through GitLab’s HackerOne bug bounty program.
The vulnerability’s high severity rating stems from its potential for complete compromise of user sessions and unauthorized action execution within GitLab environments.
Three additional vulnerabilities involve improper authorization mechanisms that could allow authenticated users to bypass various group-level restrictions.
CVE-2025-3396, affecting GitLab CE/EE with a medium severity rating (CVSS 4.3), enables authenticated project owners to circumvent group-level forking restrictions through API manipulation.
This vulnerability has existed since version 13.3, making it particularly widespread across GitLab installations.
Two low-severity authorization issues affect GitLab EE exclusively.
CVE-2025-4972 and CVE-2025-6168 both carry CVSS scores of 2.7, allowing authenticated users with specific privileges to bypass group-level user invitation restrictions through crafted API requests or manipulation of group invitation functionality.
GitLab strongly recommends immediate upgrades to the latest patch releases for all affected installations.
GitLab.com has already implemented the patches, while GitLab Dedicated customers require no action. The company follows a responsible disclosure timeline, publishing vulnerability details 30 days after patch release.
Additionally, GitLab has updated rsync to version 3.4.1, addressing security vulnerabilities CVE-2024-12084 and CVE-2024-12088.
Organizations should prioritize these updates to maintain robust security postures and protect against potential exploitation of these vulnerabilities.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link