
GitLab has issued a important security update addressing several vulnerabilities, including a high severity cross-site scripting (XSS) flaw. Versions 17.8.1, 17.7.3, and 17.6.4 for both Community Edition (CE) and Enterprise Edition (EE) have been released to address these issues.
The most serious vulnerability, identified as CVE-2025-0314, allows attackers to inject malicious scripts into GitLab instances via “improper rendering of certain file types.” This could lead to attackers hijacking user sessions, stealing sensitive data, or taking control of affected systems. GitLab describes the vulnerability in their advisory: “An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.”
This vulnerability has a CVSS score of 8.7, indicating a high severity threat.
Other vulnerabilities addressed in this release include:
- CVE-2024-11931: A medium severity flaw (CVSS score 6.4) that could allow developers to “exfiltrate protected CI/CD variables via CI lint.”
- CVE-2024-6324: A medium severity denial-of-service (DoS) vulnerability (CVSS score 4.3) related to “cyclic reference of epics.”
GitLab strongly urges all users to update their installations immediately. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”