GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover

GitLab has announced the release of versions 18.2.2, 18.1.4, and 18.0.6 for both the Community Edition (CE) and Enterprise Edition (EE), addressing several high-impact security vulnerabilities. The company urges all users to update immediately, warning that the flaws could lead to account takeover, stored XSS exploitation, or service disruption if left unpatched.

High-Severity Vulnerabilities

1. CVE-2025-7734 – Cross-Site Scripting in Blob Viewer (CVSS 8.7)
A flaw in the blob viewer could have allowed an attacker to execute actions on behalf of other users by injecting malicious content. Exploitation required certain conditions but could result in significant compromise of user accounts.

2. CVE-2025-7739 – Stored Cross-Site Scripting in Labels (CVSS 8.7)
Authenticated users could inject malicious HTML into scoped label descriptions, leading to persistent XSS and potential session hijacking.

3. CVE-2025-6186 – Cross-Site Scripting in Work Items (CVSS 8.7)
This flaw allowed authenticated users to inject malicious HTML into work item names, potentially resulting in account takeover when targeted victims viewed the crafted items.

4. CVE-2025-8094 – Improper Handling of Permissions issue in project API impacts GitLab CE/EE (CVSS 7.7)
This flaw allowed authenticated users with maintainer privileges to cause denial of service to other users’ CI/CD pipelines by manipulating shared infrastructure resources beyond their intended access level.

Other Vulnerabilities Addressed

The latest release also includes fixes for several medium and low severity issues, including:

• CVE-2024-12303 – Incorrect privilege assignment in issue deletion
• CVE-2025-2614 – Resource exhaustion in release name creation
• CVE-2024-10219 – Authorization flaw in jobs API
• CVE-2025-8770 – Merge request approval policy bypass
• CVE-2025-2937 – Regex complexity DoS in Wiki
• CVE-2025-1477 – Mattermost integration DoS
• CVE-2025-5819 – ID token permission escalation
• CVE-2025-2498 – IP restriction bypass for assigned issues

Update Recommendations

GitLab strongly recommends upgrading to the patched versions:

• 18.2.2
• 18.1.4
• 18.0.6

Related Posts:

• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
• GitLab Update: High-Severity XSS & Data Exposure Flaws Patched
• Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy