GitLab has released critical security patches addressing nine vulnerabilities across Community Edition (CE) and Enterprise Edition (EE), including a concerning prompt injection flaw in GitLab Duo that could expose sensitive information from confidential issues.
The company is urging all self-managed installations to upgrade immediately to versions 18.5.2, 18.4.4, or 18.3.6.
The most alarming vulnerability is CVE-2025-6945, a prompt injection flaw in GitLab Duo’s review feature that allows authenticated users to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.
| CVE ID | Vulnerability Title | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-11224 | Cross-site scripting in k8s proxy | High | 7.7 |
| CVE-2025-11865 | Incorrect authorization in workflows | Medium | 6.5 |
| CVE-2025-2615 | Information disclosure in GraphQL subscriptions | Medium | 4.3 |
| CVE-2025-7000 | Information disclosure in access control | Medium | 4.3 |
| CVE-2025-6945 | Prompt injection in GitLab Duo review | Low | 3.5 |
| CVE-2025-6171 | Information disclosure in packages API | Low | 3.1 |
| CVE-2025-11990 | Client-side path traversal in branch names | Low | 3.1 |
| CVE-2025-7736 | Improper access control in GitLab Pages | Low | 3.1 |
| CVE-2025-12983 | Denial of service in markdown | Low | 3.1 |
This attack demonstrates how AI-powered features can become security risks when input validation fails.
The patch batch also includes a high-severity cross-site scripting vulnerability (CVE-2025-11224) in the Kubernetes proxy functionality, which could allow authenticated users to execute stored XSS attacks due to improper input validation.
This affects GitLab versions back to 15.10, creating a significant exposure window for organizations running older instances.
Additionally, GitLab addressed two medium-severity information disclosure issues that could grant unauthorized access to sensitive data.
CVE-2025-2615 allows blocked users to access confidential information through GraphQL WebSocket subscriptions.
At the same time, CVE-2025-7000 permits unauthorized users to view confidential branch names by accessing project issues with related merge requests. These flaws highlight gaps in GitLab’s access control mechanisms.
Enterprise Edition users should pay attention to CVE-2025-11865. This medium-severity authorization bypass allows users to remove another user’s Duo workflows.
This vulnerability underscores the need for stricter permission validation in workflow management systems.
The remaining six vulnerabilities carry lower severity ratings but still warrant attention. CVE-2025-6171 enables authenticated reporters to view restricted branch names and pipeline details through the packages API endpoint.
CVE-2025-7736 allows users to bypass access controls and access GitLab Pages content through OAuth provider authentication.
CVE-2025-11990 presents a client-side path-traversal risk via repository references and redirect-handling weaknesses.
At the same time, CVE-2025-12983 can trigger denial-of-service conditions via specially crafted Markdown with nested formatting patterns.
GitLab recommends immediate action for all affected installations. GitLab.com users are already running patched versions, and Dedicated customers require no action.
Security researchers participating in HackerOne’s bug bounty program reported most of the vulnerabilities, demonstrating the value of coordinated disclosure.
The company also updated libxslt to version 1.1.43, patching additional security issues, including CVE-2024-55549 and CVE-2025-24855.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.