GitLab has urgently launched safety updates to deal with a number of high-severity vulnerabilities in its platform that might enable attackers to bypass safety mechanisms, execute malicious scripts, and entry delicate knowledge.
The patches, included in variations 17.9.1, 17.8.4, and 17.7.6 for each Group Version (CE) and Enterprise Version (EE), mitigate important dangers affecting Kubernetes integrations, dependency administration, and authorization programs.
Instant upgrades are strongly advisable for all self-managed cases.
Detailed Vulnerability Evaluation
CVE-2025-0475: XSS in Kubernetes Proxy Endpoint (CVSS 8.7)
A high-severity cross-site scripting (XSS) vulnerability was found in GitLab’s Kubernetes proxy endpoint, enabling attackers to inject malicious scripts by way of improperly sanitized content material.
Exploiting this flaw (affecting variations 15.10 to 17.9.1) might compromise consumer periods or redirect visitors underneath particular situations. .
CVE-2025-0555: XSS in Maven Dependency Proxy (CVSS 7.7)
One other high-severity XSS flaw in GitLab EE’s Maven Dependency Proxy allowed attackers to bypass safety controls and execute arbitrary scripts in consumer browsers.
Impacting variations 16.6 to 17.9.1, this vulnerability underscores provide chain dangers in dependency administration programs.
CVE-2024-8186: HTML Injection Resulting in XSS (CVSS 5.4)
A medium-severity HTML injection flaw in GitLab’s youngster merchandise search function (variations 16.6 to 17.9.1) permitted attackers to inject malicious markup, doubtlessly resulting in XSS assaults on self-hosted cases.
CVE-2024-10925: Visitor Person Authorization Bypass (CVSS 5.3)
This medium-severity flaw allowed Visitor customers in GitLab EE (variations 16.2 to 17.9.1) to learn safety coverage YAML information containing delicate guidelines and configurations.
CVE-2025-0307: Planner Position Knowledge Publicity (CVSS 4.3)
Customers with the Planner function in non-public GitLab EE initiatives (variations 17.7 to 17.9.1) might improperly entry code evaluate analytics, violating least-privilege rules.
Patch Deployment and Mitigation
GitLab and Devoted cases acquired computerized fixes, however self-managed deployments require handbook upgrades to variations 17.9.1, 17.8.4, or 17.7.6.
The corporate adheres to a 30-day disclosure coverage, with full technical particulars for these CVEs slated for publication on March 27, 2025.
Directors ought to:
- Prioritize upgrades for cases utilizing Kubernetes, Maven, or granular role-based entry controls.
- Audit consumer permissions to make sure compliance with least-privilege insurance policies.
- Monitor proxy endpoint visitors for uncommon HTML/script payloads.
These vulnerabilities spotlight systemic dangers in CI/CD platforms, notably as attackers more and more goal:
- Dependency chains: Exploits like CVE-2025-0555 present how malicious packages might infiltrate builds.
- Overprivileged roles: Flaws like CVE-2025-0307 emphasize misconfigured permissions in advanced initiatives.
- Third-party integrations: Kubernetes proxy vulnerabilities (CVE-2025-0475) reveal dangers in cloud-native tooling.
GitLab credited researchers joaxcar, yuki_osaki, and weasterhacker by way of its bug bounty program, awarding payouts commensurate with the CVSS rankings.
With over 30 million customers counting on GitLab, these patches are important to sustaining belief in fashionable software program supply pipelines.
Gather Risk Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Attempt free of charge