CVE-2025-2254NVD

Vulnerability Summary

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks.

Severity Level

HIGH(8.7)

Published Date

Jun 12, 2025

Last Modified

Aug 8, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://gitlab.com/gitlab-org/gitlab/-/issues/524636
https://hackerone.com/reports/2973939

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-2254NVD

Vulnerability Summary

External References