GitLab has released critical security patches addressing multiple high-severity vulnerabilities that could enable attackers to achieve complete account takeover and compromise enterprise development environments.
The company issued versions 18.0.2, 17.11.4, and 17.10.8 for both Community Edition (CE) and Enterprise Edition (EE), urging immediate upgrades for all self-managed installations to prevent potential exploitation of these critical security vulnerabilities.
Two particularly severe vulnerabilities pose immediate threats to GitLab users. CVE-2025-4278, scoring 8.7 on the CVSS scale, represents a critical HTML injection vulnerability that could allow attackers to achieve account takeover by injecting malicious code into the search page under certain conditions.
This vulnerability affects all GitLab CE/EE versions starting with 18.0 before 18.0.2, creating a significant attack surface for organizations running recent GitLab installations.
Equally concerning is CVE-2025-2254, another high-severity cross-site scripting vulnerability with a CVSS score of 8.7.
This vulnerability enables attackers to execute malicious scripts within the snippet viewer, potentially allowing them to act in the context of legitimate users.
The vulnerability impacts a broader range of versions, affecting GitLab CE/EE installations from version 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2.
Multiple GitLab Vulnerabilities
Beyond account takeover vulnerabilities, GitLab addressed several other critical security issues that could severely impact organizational security posture.
CVE-2025-5121 specifically targets GitLab Ultimate EE customers, allowing authenticated attackers to inject malicious CI/CD jobs into all future pipelines of any project.
This vulnerability, scoring 8.5 on CVSS, affects Ultimate EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2.
Multiple denial-of-service vulnerabilities were also remediated, including CVE-2025-0673, which could trigger infinite redirect loops causing memory exhaustion.
Additional DoS vectors include unbounded webhook token names (CVE-2025-1516) and oversized board names (CVE-2025-1478), both capable of disrupting service availability.
Information disclosure vulnerabilities round out the security concerns, with CVE-2024-9512 potentially exposing private repositories during secondary node synchronization issues.
Recommended Actions
GitLab strongly recommends immediate upgrade to the latest patched versions for all affected installations.
The company emphasizes that GitLab.com is already running the patched version, while GitLab Dedicated customers require no action.
Organizations should prioritize upgrading installations running affected versions, as these vulnerabilities represent significant security risks to development infrastructure and sensitive code repositories.
All reported vulnerabilities were discovered through GitLab’s HackerOne bug bounty program, with researchers joaxcar, yvvdwf, jean_d-ou, sim4n6, pwnie, and hdtran credited for their discoveries.
GitLab maintains its standard practice of making vulnerability details public 30 days after patch release.
The company releases security fixes through both scheduled bi-monthly releases and ad-hoc critical patches for high-severity vulnerabilities.
Organizations should verify their current GitLab version and immediately schedule maintenance windows to deploy these critical security updates, as delayed patching could expose development environments to sophisticated attacks targeting source code repositories and CI/CD infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
