do son 
GitLab has issued a security advisory, urging all users of self-managed GitLab Community Edition (CE) and Enterprise Edition (EE) to immediately upgrade to the latest versions: 17.10.1, 17.9.3, or 17.8.6. This update addresses a series of high to low severity vulnerabilities, including Cross-Site Scripting (XSS) flaws and privilege escalation issues.
Two high-severity XSS vulnerabilities have been patched, both assigned a CVSS score of 8.7. The first, CVE-2025-2255, stems from “Cross-site Scripting (XSS) through merge-request error messages,” affecting versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. An attacker could exploit this flaw to inject malicious scripts via crafted error messages.
The second, CVE-2025-0811, involves “Cross-site Scripting (XSS) through improper rendering of certain file types,” impacting versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper file rendering could allow malicious code execution within the user’s browser.
Both vulnerabilities were responsibly disclosed by yvvdwf through GitLab’s HackerOne bug bounty program.
A significant privilege escalation vulnerability, CVE-2025-2242, was also addressed. “An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.” This critical flaw, with a CVSS score of 7.5, could allow former admins to retain significant control even after their permissions are revoked.
Furthermore, CVE-2024-12619 reveals that “an issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.” This medium-severity vulnerability, reported by aituglo, carries a CVSS score of 5.2.
The update also addresses several other vulnerabilities, including:
- CVE-2024-10307: Uncontrolled resource consumption via maliciously crafted Terraform files in merge requests, reported by l33thaxor.
- CVE-2024-9773: Shell code injection in Harbor project name configuration when using helper scripts, reported by joaxcar.
- A prompt injection vulnerability in the GitLab Duo with Amazon Q integration, discovered internally by Félix Veillette-Potvin.
GitLab’s advisory emphasizes the urgency of this update: “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”
Organizations using self-managed GitLab instances should prioritize applying these updates to mitigate the risk of exploitation. The severity of the XSS and privilege escalation vulnerabilities makes this update critical for maintaining the security and integrity of GitLab environments.
