GitLab Vulnerabilities Allow Execution of Malicious Actions via Content Injection

GitLab Vulnerabilities Allow Execution of Malicious Actions via Content Injection

GitLab has released critical security patches addressing four vulnerabilities, including a high-severity cross-site scripting flaw that could enable attackers to execute malicious actions on behalf of users through content injection.

The company has issued patch releases 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE), urging immediate upgrades for all self-managed installations.

Critical Cross-Site Scripting Vulnerability Discovered

The most severe vulnerability, CVE-2025-6948, represents a significant security risk with a CVSS score of 8.7. This cross-site scripting issue affects all GitLab CE/EE versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.

The vulnerability could allow successful attackers to execute actions on behalf of users by injecting malicious content under certain conditions.

CVE Severity CVSS Score Affected Versions Impact
CVE-2025-6948 High 8.7 17.11-17.11.5, 18.0-18.0.3, 18.1-18.1.1 Cross-site scripting enabling malicious action execution
CVE-2025-3396 Medium 4.3 13.3-17.11.5, 18.0-18.0.3, 18.1-18.1.1 Forking restriction bypass via API manipulation
CVE-2025-4972 Low 2.7 18.0-18.0.3, 18.1-18.1.1 User invitation restriction bypass
CVE-2025-6168 Low 2.7 18.0-18.0.3, 18.1-18.1.1 User invitation restriction bypass via API

Security researcher yvvdwf discovered this critical flaw through GitLab’s HackerOne bug bounty program.

The vulnerability’s high severity rating stems from its potential for complete compromise of user sessions and unauthorized action execution within GitLab environments.

Three additional vulnerabilities involve improper authorization mechanisms that could allow authenticated users to bypass various group-level restrictions. 

CVE-2025-3396, affecting GitLab CE/EE with a medium severity rating (CVSS 4.3), enables authenticated project owners to circumvent group-level forking restrictions through API manipulation.

This vulnerability has existed since version 13.3, making it particularly widespread across GitLab installations.

Two low-severity authorization issues affect GitLab EE exclusively. 

CVE-2025-4972 and CVE-2025-6168 both carry CVSS scores of 2.7, allowing authenticated users with specific privileges to bypass group-level user invitation restrictions through crafted API requests or manipulation of group invitation functionality.

GitLab strongly recommends immediate upgrades to the latest patch releases for all affected installations.

GitLab.com has already implemented the patches, while GitLab Dedicated customers require no action. The company follows a responsible disclosure timeline, publishing vulnerability details 30 days after patch release.

Additionally, GitLab has updated rsync to version 3.4.1, addressing security vulnerabilities CVE-2024-12084 and CVE-2024-12088.

Organizations should prioritize these updates to maintain robust security postures and protect against potential exploitation of these vulnerabilities.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.


Source link