GitLab Patches High-Severity XSS Flaw (CVE-2025-0376) and Other Security Flaws in Latest Release
do son 
GitLab has issued a security advisory, urging users to update their installations immediately to address a range of vulnerabilities, including a high-severity Cross-Site Scripting (XSS) flaw. The update, covering versions 17.8.2, 17.7.4, and 17.6.5 for both GitLab Community Edition (CE) and Enterprise Edition (EE), includes fixes for a total of nine security issues.
The most serious vulnerability, identified as CVE-2025-0376, is a high-severity XSS flaw that could allow an attacker to execute unauthorized actions via a change page. According to the advisory, “An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.” This vulnerability has a CVSSv3.1 score of 8.7, indicating its high potential impact.
In addition to the XSS flaw, the update also addresses several medium-severity vulnerabilities, including:
- Denial of Service due to Unbounded Symbol Creation (CVE-2024-12379): An attacker could exploit this vulnerability to impact the availability of GitLab by triggering unbounded symbol creation.
- Exfiltration of Private Issue Content using Prompt Injection (CVE-2024-3303): This vulnerability could allow an attacker to access and steal content from private issues.
- Unauthorized Access to Repositories (CVE-2025-1042): An insecure direct object reference vulnerability could allow attackers to view repositories without authorization.
- Internal HTTP Header Leak (CVE-2025-1212): Attackers could exploit this flaw to reveal sensitive information by sending a crafted request to the backend server.
- Server-Side Request Forgery (SSRF) via Workspaces (CVE-2024-9870): This vulnerability could allow attackers to send requests from the GitLab server to unintended services.
- Unauthorized Incident Closure and Deletion (CVE-2025-0516): Users with limited permissions could potentially close or delete incidents without proper authorization.
- ActionCable Token Invalidation Issue (CVE-2025-1198): Revoked Personal Access Tokens might still have access to streaming results due to long-lived connections in ActionCable.
GitLab strongly recommends that all users upgrade to the latest versions (17.8.2, 17.7.4, or 17.6.5) as soon as possible to mitigate these security risks. The updates are available for download on the GitLab website.
