GitLab has issued a security advisory, urging all self-managed GitLab installations to upgrade immediately to versions 17.9.1, 17.8.4, or 17.7.6. This urgent call to action follows the discovery of multiple vulnerabilities, including high-severity Cross-Site Scripting (XSS) flaws that could expose sensitive user data.
A flaw in the Kubernetes proxy endpoint (CVE-2025-0475) carries a CVSS score of 8.7, indicating a high level of risk. This vulnerability impacts all versions from 15.10 prior to the patched releases. According to GitLab, “A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.” This could allow attackers to inject malicious code into a user’s browser, potentially stealing credentials or performing other malicious actions.
Another high-severity XSS vulnerability (CVE-2025-0555), with a CVSS score of 7.7, affects the Maven Dependency Proxy in GitLab-EE. This vulnerability, affecting versions from 16.6 prior to the patched releases, could allow attackers to “bypass security controls and execute arbitrary scripts in a user’s browser under specific conditions.”
In addition to the XSS flaws, GitLab has addressed several other security issues:
- HTML Injection Leading to XSS (CVE-2024-8186): A medium-severity vulnerability (CVSS 5.4) allows HTML injection in child item searches, potentially leading to XSS.
- Improper Authorisation Check Allows Guest User to Read Security Policy (CVE-2024-10925): A medium-severity vulnerability (CVSS 5.3) allows guest users to read security policy YAML files.
- Planner Role Can Read Code Review Analytics in Private Projects (CVE-2025-0307): A medium-severity vulnerability (CVSS 4.3) allows users with limited permissions to access sensitive project analytics data.
Administrators should update their self-managed GitLab instances to versions 17.9.1, 17.8.4, or 17.7.6, depending on their current deployment version.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab emphasized.
Related Posts:
- GitLab Tackles Critical Security Flaws in Latest Patch Release
- Developers move to GitLab after GitHub was acquired by Microsoft
- GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability
