GitLab has announced the immediate availability of patch releases 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE), addressing several critical security vulnerabilities and bug fixes.
The company strongly recommends that all self-managed GitLab installations upgrade to one of these patched versions immediately to maintain security integrity.
GitLab.com has already been updated to the patched version, while GitLab Dedicated customers require no action as the fixes are automatically applied.
Critical Security Vulnerabilities Addressed
The patch releases remediate four significant security vulnerabilities, including one high-severity cross-site scripting (XSS) issue that poses a substantial risk to GitLab installations.
The most critical vulnerability, designated CVE-2025-6948 with a CVSS score of 8.7, affects all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
This XSS vulnerability could have allowed attackers to execute actions on behalf of users by injecting malicious content under certain conditions.
Additionally, three authorization issues have been resolved across the affected versions.
CVE-2025-3396, with a medium severity rating of 4.3, addressed an improper authorization flaw that could have allowed authenticated project owners to bypass group-level forking restrictions through API manipulation.
This vulnerability affected an extensive range of versions dating back to 13.3.
Two low-severity authorization issues, CVE-2025-4972 and CVE-2025-6168, both affecting GitLab Enterprise Edition versions 18.0 and 18.1, involved bypassing group-level user invitation restrictions through crafted API requests and group invitation functionality manipulation.
All security vulnerabilities were discovered through GitLab’s HackerOne bug bounty program by security researchers yvvdwf, theluci, mateuszek, and hunter0xp7.
The company follows a responsible disclosure policy, making vulnerability details public on their issue tracker 30 days after the patch release.
Comprehensive Bug Fixes and Update Recommendations
Beyond security fixes, the patch releases include numerous bug fixes and improvements across all three versions.
Notable fixes include updates to the GitLab container registry, resolution of flaky tests, improvements to code owner validation for roles, and fixes for Personal Access Token (PAT) creation in relative installations.
Version 18.1.2 received the most extensive set of updates, including backend improvements, UI enhancements, and infrastructure optimizations.
The releases also include an important security update to rsync version 3.4.1, which addresses additional security vulnerabilities CVE-2024-12084 and CVE-2024-12088.
GitLab emphasizes that maintaining good security hygiene requires all customers to upgrade to the latest patch release for their supported version as soon as possible, as all deployment types, including omnibus, source code, and helm chart installations, are affected by these issues.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The company strongly recommends that all self-managed GitLab installations upgrade to one of these patched versions immediately to maintain security integrity.){kind=link}